[59289] in North American Network Operators' Group
Re: ISPs are asked to block yet another port
daemon@ATHENA.MIT.EDU (Paul Vixie)
Mon Jun 23 17:55:48 2003
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 23 Jun 2003 21:55:16 +0000
In-Reply-To: <3EF75D9B.3050808@brightok.net>
Errors-To: owner-nanog-outgoing@merit.edu
jbates@brightok.net (Jack Bates) writes:
> There is another fix for it. If neither provider allowed spoofing, then
> the individual couldn't send spoofed packets out one way and allow the
> syn/ack back via the other. Of course, there are better reasons for
> spoof protection ingress/egress than a little port 25 traffic.
until the larger isp's start writing BCP38 conformance into both their
peering agreements AND their customer agreements, we're not going to see
any improvements in source address authenticity. see also ICANN SAC004
(http://www.icann.org/committees/security/sac004.txt).
--
Paul Vixie
