[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BCP38 - Internet Death Penalty

On 3/26/13, Dobbins, Roland <rdobbins at arbor.net> wrote:
> On Mar 26, 2013, at 9:51 PM, Jay Ashworth wrote:

Perhaps you should reframe your strategy as "security problem",  and
show how providers have implemented BCP38,  how it is such a common
practice,  that not implementing BCP38  may fall short of the minimum
standard of due care  required to avoid liability,
in case your network is abused to launch an attack..      Incurs
possible legal risks that should be reviewd by lawyers,  due to
possible liability in facilitating a DoS attack.

That may be better at persuading your CEOs of large SPs than "It's
just good engineering";  it's not that following BCP38 is just
excellent practice.     It's also that ignoring BCP38 in some
circumstances might be extremely poor, even negligent practice.

Develop an industry certification/accreditation based on network
engineering practices,  and make it potentially so that service
providers want to carry it.  Then their marketing people can display
their "See our network is more secure and reliable"  logo on the
website,  and pressure other networks to seek 3rd party qualification;
 include  BCP38 as one of  several criteria,   "designed to help
reduce the degree of malicious activity, unmitigated DoS incidents,
instability,  or poor/inconsistent user experience".

If enough networks carry some sort of mark of quality, then maybe it
becomes meaningful as a tool persuasion:  there may be a smaller
quantity of demand for the purchase of services from networks that
don't carry it, unless they compensate by lowering their price.

While you're at it, include as recommended practices,
and provide multiple levels of  "Verified good network neighbor"  status:

      o 3rd party audited practices with regards to responsiveness and
cooperation by contacts to address  abuse and connectivity issues.

      o Requirement the network have a policy of assisting with the
mitigation of attack traversing any peers or customers,   through
required extensive network information sharing.

      o Truthful representation of service in all marketing materials.

      o  No "banned" internet protocols or ports, (e.g. "Our network
doesn't allow SSH protocol");  no NAT'ing by the SP.

      o A no-spamming policy,  a  no-repeated-failed-login policy, a
no port scanning policy, a no DoS policy that includes requirement the
SP investigate spam or other complaints
        and take sufficient actions to disable offending hosts or
networks, or ensure
        further spam is blocked..

      o Appropriate filtering  of incoming bgp announcements.
      o Accurate WHOIS information, listing the actual contact, no 3rd
party or intermediary
         for number resources, domains, etc.
      o Easily accessible and responsive technical and abuse contacts
for all services.

      o Not subverting or altering DNS query responses, or other
packets, as they
         cross the network;  for example,  not offering name lookup servers that
         claim to provide DNS service,  but covertly rewrite or capture
         NXDOMAIN or other responses,  sending an altered response instead.

>> Do the engineering heads at the top 10 tier-1/2 carriers carry enough
>> water to make that sale to the CEOs?

> Unfortunately, no - else it would've come to pass quite some time ago.