register.com down sev0?

I don't want to detract from the heat of this discussion, as
important as it is, but it (the discussion) illustrates a
point
that RIPE has recognized -- and is actively perusing -- yet,
ISPs
on this continent seem consistently to ignore: The
consistent
implementation of BCP 38.

It is nothing less than irresponsible, IMO...

Why _is_ that?

- ferg



-- "Patrick W. Gilmore" <patrickianai.net> wrote:

[snip]

There is no single "appropriately[sic] place"
which can absorb  
50Mpps.  If you meant "appropriately placed" (as
in topologically  
dispersed locations), a well crafted attack could still
guarantee _at  
least_ a partial DoS from an end user PoV.

It is essentially impossible to distinguish end-user
requests from  
(im)properly created DoS packets (especially until BCP38 is
widely  
adopted - i.e. probably never).  Since there is no single
place - no  
13 places - which can withstand a well crafted DoS, you are 

guaranteed that some users will not be able to reach any of
your  
listed authorities.

This is not speculation, this is fact.  All a good provider
can do,  
even with 1000s of server, is minimize the impact of any
DoS.

[snip]


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspo
t.com/

On Thu, 26 Oct 2006, Fergie wrote:
> I don't want to detract from the heat of this
discussion, as
> important as it is, but it (the discussion) illustrates
a point
> that RIPE has recognized -- and is actively perusing --
yet, ISPs
> on this continent seem consistently to ignore: The
consistent
> implementation of BCP 38.
>
> It is nothing less than irresponsible, IMO...
>
> Why _is_ that?

Do you have any data concerning the actual consistent
deployment of 
BCP38++ in different parts of the world?

On Thu, 26 Oct 2006 05:11:14 -0000, Fergie said:
> I don't want to detract from the heat of this
discussion, as
> important as it is, but it (the discussion) illustrates
a point
> that RIPE has recognized -- and is actively perusing --
yet, ISPs
> on this continent seem consistently to ignore: The
consistent
> implementation of BCP 38.
>
> It is nothing less than irresponsible, IMO...
>
> Why _is_ that?

The same people I mentioned the other day as not having
enough clue to
do DNS correctly don't have enough clue to do BCP38
correctly either.
As one person mentioned, if stuff still requires
pioneer-level skillsets
to use, the pioneers have more work to do.  The problem is
that the
following wave seems to be made up mostly of chimpanzees,
and nobody's
figured out how to make routers and network services that
can be run
by chimps...

Maybe the new slogan needs to be "Save the Internet!
Train the chimps!"

> Maybe the new slogan needs to be "Save the
Internet! Train the  
> chimps!"

Shouldnt  'ip verify unicast source reachable-by rx' be a
default  
setting on all interfaces?  Only to be removed by trained
chimps?

-Matt

--
Matthew S. Crocker
Vice President
Crocker Communications, Inc.
Internet Division
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com

Matthew Crocker wrote:
> 
>> Maybe the new slogan needs to be "Save the
Internet! Train the chimps!"
> 
> Shouldnt  'ip verify unicast source reachable-by rx' be
a default 
> setting on all interfaces?  Only to be removed by
trained chimps?
> 

Only if you wish to break existing configurations during IOS
upgrades. I could 
see ip verify unicast source reachable-by any (less
breakage), but rx will kill 
all types of good asymmetric routing. The largest breakage I
have seen caused by 
rx is the link IP breakage caused by the router responding
out multiple 
interfaces. It's also a problem when customers are
straddling the fence, 
purposefully using asymmetric routing.

It would be nicer to have router support where a packet is
acceptable if it's 
network is acceptable in the BGP (or IGP) policy/filter (ie,
network may not be 
there, but it is allowed) as well as the link addresses
associated with the BGP 
(or IGP) peer.

-Jack