BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)

This would appear, on its face, to be an easy exercise in
educating
the IPSs in the foodchain.

Is there reasonable enough interest with NANOG to do that?
If so,
I volunteer to workshop at the next NANOG.

But only if there is reasonable consensus to that effect. Or
someone
else could do it, too. 

The point I'm trying to make is that if the community thinks
it
is valuable, then the path is clear.

If not, then... 

- ferg



-- Sean Donelan <seandonelan.com> wrote:

The only data I have is from the MIT anti-spoofing test
project which
has been pretty consistent for a long time.  About 75%-80%
of the nets, 
addressses, ASNs tests couldn't spoof, and about 20%-25%
could.

The geo-location maps don't show much difference between
parts of
the world.  RIPE countries don't seem to be better or worse
than ARIN
countries or APNIC countries or so on.  ISPs on every
continent seem
to be about the same.

http://spoof
er.csail.mit.edu/summary.php

If someone finds the silver bullet that will change the
remaining 25% or
so of networks, I think ISPs on every continent would be
interested.


On Thu, 26 Oct 2006, Fergie wrote:
> No.
>
> I think that is indicative of the problem.
>
> Don't you?
>
> -- Sean Donelan <seandonelan.com> wrote:
> On Thu, 26 Oct 2006, Fergie wrote:
>> I don't want to detract from the heat of this
discussion, as
>> important as it is, but it (the discussion)
illustrates a point
>> that RIPE has recognized -- and is actively
perusing -- yet, ISPs
>> on this continent seem consistently to ignore: The
consistent
>> implementation of BCP 38.
>>
>> It is nothing less than irresponsible, IMO...
>>
>> Why _is_ that?
>
> Do you have any data concerning the actual consistent
deployment of
> BCP38++ in different parts of the world?


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspo
t.com/

On Thu, 26 Oct 2006, Fergie wrote:

> The point I'm trying to make is that if the community
thinks it is 
> valuable, then the path is clear.

What is the biggest problem to solve? Would it be enough for
ISPs to make 
sure that they will not send out packets which didn't belong
within their 
PA blocks, or is it that one user shouldn't be able to spoof
at all (even 
IPs adjacant to their own)? Would the global problem go away
if global 
spoofing stopped working?

I of course realise that it's best if user cannot spoof at
all, but it 
might be easier for ISPs to filter based on their PA blocks
than to (in 
some cases) purchase new equipment to replace their current
equipment that 
cannot do IP spoof filtering.

-- 
Mikael Abrahamsson    email: swmikeswm.pp.se

On Thu, 26 Oct 2006, Mikael Abrahamsson wrote:

>
> On Thu, 26 Oct 2006, Fergie wrote:
>
> > The point I'm trying to make is that if the
community thinks it is
> > valuable, then the path is clear.
>
> I of course realise that it's best if user cannot spoof
at all, but it
> might be easier for ISPs to filter based on their PA
blocks than to (in

do your customers:
1) not bring their own ip space?
2) always advertise to you their ip space?