[53001] in North American Network Operators' Group
Re: How to secure the Internet in three easy steps
daemon@ATHENA.MIT.EDU (Paul Vixie)
Fri Oct 25 15:39:29 2002
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Message from Sean Donelan <sean@donelan.com>
of "Fri, 25 Oct 2002 14:57:23 -0400."
<Pine.GSO.4.40.0210251448210.29753-100000@clifden.donelan.com>
Date: Fri, 25 Oct 2002 19:38:39 +0000
Errors-To: owner-nanog-outgoing@merit.edu
> > > 1. Require all providers install and manage firewalls on all subscriber
> > > connections enforcing source address validation.
> >
> > i can see how the end to end principle applies in cases 2 and 3, but not 1.
>
> I didn't make any of these up. They've all been proposed by serious,
> well-meaning people.
i recommend caution with your choice of words. apparently not everyone
treats "well meaning" as the compliement that it is.
> If you have 2 and 3, why do you need to waste global addresses on 1.
i don't believe that 2 or 3 will ever happen, for simple market reasons --
it is harder to make money if you do 2 or 3. however, 1 only costs a small
bit of ops expense, and has no market impact at all, so it's practical in
simple economic terms.
> Its a mis-understanding of what source address validation is. Some folks
> think it should work like ANI, where the telephone company writes the
> "correct" number on the call at the switch.
ouch. i guess you're right. perhaps a copy of BCP38 should come with
every router sold?
