BCP 38 coverage if top x providers ...

Frank_Bulk1 · November 20, 2016, 2:13am

My google fu is failing me, but I believe there was a NANOG posting a year
or two ago that mentioned that if the top x providers would implement BCP 38
then y% of the traffic (or Internet) would be de-spoofed. The point was
that we don't even need everyone to implement BCP 38, but if the largest
(transit?) providers did it, then UDP reflection attacks could be minimized.

If someone can recall the key words in that posting and dig it up, that
would be much appreciated.

Frank

Alain_Hebert · November 22, 2016, 3:26pm

Hi Frank,

Applying BCP38 at those level is more risky because of the sheer
volume of transit & prefixes.

For years, people have been working hard pushing the responsibility
of BCP38 to outside their sandbox.

You may remember one of those instance.

Jared_Mauch · November 22, 2016, 3:44pm

If you assume 80% of traffic comes out of your local CDN node, that remaining 20%
may not be too difficult for you to do something with. The problem appears because
various engineering thresholds that existed in the 90s have been violated.

40(64) byte packet testing is no longer the norm by vendors. Those of us who carry
a full table and are expected to provide all the features are the minority in
purchasing equipment by volume and revenue so the push is harder. A double lookup
of the packet is twice as expensive and perhaps impractical in some (or many) cases.

- Jared

Jay_Ashworth · November 28, 2016, 2:44am

It was me, Frank, as I said in an offlist email your mail server a) didn't
like and b) took 4 days to complain about.

I believe I said "top 10" or "top 20" eyeball carriers, and I was shooting
from the hip, based on my apprehension of the sizes there of. 80/20 rule, as
Jared implies.

Cheers,
-- jra

Florian_Weimer · March 24, 2017, 3:07pm

* Jared Mauch:

Laurent_Dumont · March 24, 2017, 7:04pm

Wouldn't you want BCP38 policies to be as close as possible to the traffic sources? Instead of creating more "fake" traffic?

And at the same time, partial filtering doesn't seem as a very effective way to fight spoofed traffic on a large scale.

Florian_Weimer · March 24, 2017, 7:30pm

* Laurent Dumont:

Wouldn't you want BCP38 policies to be as close as possible to the
traffic sources? Instead of creating more "fake" traffic?

Maybe as close as possible, but still without sacrificing source
network attribution is sufficient.

And at the same time, partial filtering doesn't seem as a very
effective way to fight spoofed traffic on a large scale.

That depends on the problems caused by spoofed traffic. My hunch is
that non-policing networks emit a constant trickle of spoofed traffic
which does not cause any problems, and that traffic can be used to
detect lack of policing even without actual abuse of the spoofing
capability.