On Dec 31, 2015, at 6:01 PM, Michael Richardson
<mcr+ietf(_at_)sandelman(_dot_)ca> wrote:
Brian E Carpenter <brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com> wrote:
That seems worth a bit more discussion. I'd always naively assumed that
BCP38 was
scalable since all it appears to need is a prefix match, and routers are very
good at matching prefixes; it's just that they don't normally match the
source
prefix. Could some router-vendor person comment on this?
It's also really really really cheap to do in the CMTS or PPP concentrator,
where for IPv4, it's often not even a "prefix" machine, but a /32 match.
IPv6 with PD makes it potentially a list...
These often aren’t the devices that are a problem. The majority of cable/DSL
networks do not permit spoofing. There are external ways to measure this with
traceroute and data from things like the OpenResolverProject stuff which I
worked
on.
I can get a $5/mo server or a $2/mo so-called-booter service to launch attacks
from.
What I often need are better tools to trace back spoofed packets or mark them.
The
nice thing about most of these attack networks is they respond faster than I
can trace
and most attacks we see are sub-15 minutes. The incentives are all wrong here
and
I’d love to talk to people about how to change them. Some locations, eg:
Finland
have a regulator that does not accept spoofing from the entities they supervise.
It’s one approach, but perhaps doesn’t scale to other markets.
- Jared