[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BCP38 - Internet Death Penalty

On Tue, Mar 26, 2013 at 10:51 AM, Jay Ashworth <jra at baylink.com> wrote:
> But have we reached the point where it's time to start trying?


> Do we need to define a flag day, say one year hence, and start making the
> sales pitch to our Corporate Overlords that we need to apply the IDP to
> edge connections which cannot prove they've implemented BCP38 (or at very
> least, the source address spoofing provisions thereof)?  Put this in
> contracts and renewals, with the same penalty?

Yes, but scope the problem a little differently.

1. The general IDP does not apply to stub networks which do not speak
BGP. It is for those stubs' ISPs to determine how they'll handle
mis-sourced traffic they receive from those networks.

2. A BGP origin-only network is required to secure its BGP-speaking
borders against source address spoofing. It may also secure spoofing
from downstream networks (and in fact it SHOULD do so) but it avoids
the IDP so long as its BGP-speaking borders are secured.

3. A BGP transit network is required to secure all components of its
network against source address spoofing, including all non-BGP stub
customers and all origin-only BGP customers. It is not expected to
prevent spoofed packets from arriving from neighboring transit BGP

It is also expected to promptly assist (24/7/365) with trace requests
from any individual presenting legitimate credentials as the assignee
of a particular source address and presenting with reasonable evidence
that packets with a spoofed address cross a specifically identified
system owned by the transit network. Where the packet stream
continues, these trace requests must promptly result in identification
of the actual source of the packet (if within the transit network's
system) or the identification of the neighboring system, the specific
entry point and high-level contacts within the neighbor system capable
of continuing the trace.

Some number of misconfigurations which permit spoofed packets from
components of the transit network's components are to be expected and
promptly corrected.

4. Applying the IDP _does not_ mean you cut off the network. That'll
piss of your customers as much or more than it pisses off theirs. The
position is untenable. Instead, the IDP consists of redirecting the
offender's public presence web sites to a web site which proclaims the
IDP, lists the causes of the IDP and lists the actions required to
lift the IDP.

5. IDP can't be a local decision. We should elect or empanel or
otherwise select a group of individuals who decide both when a network
gets the IDP and when the IDP is lifted. Compliance with the group's
decision to impose an IDP can be optional but a riot of RBLs like have
developed in the anti-spam community would cause at least as much
trouble as it fixes.

> Do the engineering heads at the top 10 tier-1/2 carriers carry enough water
> to make that sale to the CEOs?

To ask the CEOs to authorize cutting off access to a competitor's web
site with the full support and approval of a group of recognized
Internet luminaries?

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004