On Thursday, December 31, 2015 10:25 PM, Randy Bush wrote:
...
and, in the meantime, ietf idealists can continue to blame operators,
operators can continue to blame vendors (and ietf idealists), and
vendors can ask where the cash comes from. and therein lies the
disconnect. the pain is far removed from the basic causes. this
generally does not work out very well.
It is pretty clear that BCP 38 is not being deployed because the incentives
are not there. Implementing ingress filtering on the current hardware
doubles the per packet processing time, and that's certainly a disincentive
for operators. It also creates new failure modes for ISP serving multi-homed
customers, and that too is a serious disincentive for operators. In short,
BCP 38 requires operators to increase their cost of operation in order to
protect "the whole Internet" against some forms of attacks. We can call it
tragedy of the commons or whatever, but the reality is that this kind of
mandate almost never gets deployed.
I can think of only one example of such mandates actually being enforced -
the fight against "open mail relays" a dozen years ago. The self-appointed
Internet police, or vigilantes, detected SMTP relays that could forward
spam, shamed them, and blacklisted them until their fixed their setup. The
relay operators could fix their operation, or face customer complaints that
their mail was being rejected. It was bitter, but there are very few open
mail relays left operating now, so in a sense we could say that vigilantism
did work. On the other hand, it is not like spam disappeared.
I shudder at the idea of vigilantes trying to enforce BCP-38 that way. Randy
gently pointed out the disconnect between operators and idealists. An
enforcement campaign complete with blacklists and BGP blocks would do
wonders for that disconnect! Besides, it would only work if we could also
secure BGP, another interesting problem. And even if it "worked," it would
probably not stop denial of service attacks, just like shutting down open
mail relays did not fix spam.
The realist view is thus to deprecate BCP-38. We tried, and we now know that
it cannot be deployed, and certainly cannot be relied on to stop attacks. We
already design new protocols with the assumption that the source IP address
can be forged. Let's fix the old ones. And in particular, let's fix DNS
implementations so they cannot be used as DDOS amplifiers!
-- Christian Huitema