My google fu is failing me, but I believe there was a NANOG posting a year
or two ago that mentioned that if the top x providers would implement BCP 38
then y% of the traffic (or Internet) would be de-spoofed. The point was
that we don't even need everyone to implement BCP 38, but if the largest
(transit?) providers did it, then UDP reflection attacks could be minimized.
If someone can recall the key words in that posting and dig it up, that
would be much appreciated.
Applying BCP38 at those level is more risky because of the sheer
volume of transit & prefixes.
For years, people have been working hard pushing the responsibility
of BCP38 to outside their sandbox.
You may remember one of those instance.
If you assume 80% of traffic comes out of your local CDN node, that remaining 20%
may not be too difficult for you to do something with. The problem appears because
various engineering thresholds that existed in the 90s have been violated.
40(64) byte packet testing is no longer the norm by vendors. Those of us who carry
a full table and are expected to provide all the features are the minority in
purchasing equipment by volume and revenue so the push is harder. A double lookup
of the packet is twice as expensive and perhaps impractical in some (or many) cases.
It was me, Frank, as I said in an offlist email your mail server a) didn't
like and b) took 4 days to complain about.
I believe I said "top 10" or "top 20" eyeball carriers, and I was shooting
from the hip, based on my apprehension of the sizes there of. 80/20 rule, as
Wouldn't you want BCP38 policies to be as close as possible to the traffic sources? Instead of creating more "fake" traffic?
And at the same time, partial filtering doesn't seem as a very effective way to fight spoofed traffic on a large scale.
* Laurent Dumont:
Wouldn't you want BCP38 policies to be as close as possible to the
traffic sources? Instead of creating more "fake" traffic?
Maybe as close as possible, but still without sacrificing source
network attribution is sufficient.
And at the same time, partial filtering doesn't seem as a very
effective way to fight spoofed traffic on a large scale.
That depends on the problems caused by spoofed traffic. My hunch is
that non-policing networks emit a constant trickle of spoofed traffic
which does not cause any problems, and that traffic can be used to
detect lack of policing even without actual abuse of the spoofing