North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BCP38 making it work, solving problems
> Date: Tue, 19 Oct 2004 13:20:08 -0400 > From: David G. Andersen <[email protected]> > Subject: Re: BCP38 making it work, solving problems > [ ... ] > Unless you're worried about an adversary who taps into your > fiber, how is MD5 checksums any better than anti spoofing filters > that protect your BGP peering sessions? The only benefit I see is > that you can actually verify that your peer is using md5 checksums, > instead of having to take them on faith that they won't permit > someone to spoof their router's address. How much control do 'they' have over the ways 'someone' can spoof ? With large providers who don't see any harm in allowing possibly spoofed traffic through, you cannot exclude the possibility that an ISP connected to an IX "leaks" those spoofed packets onto the IX. (or leaks RFC1918 space... I know of a few examples / mails ;D) In the current world - where you cannot exclude either one - you're much better off 'safe' then 'sorry'... Implementing BCP38 (to come back on-topic) is just plain good neighbourhood policy. I don't go building 2.5 meter tall fences around my house because I don't want my neighbour's plants in my garden. No, we come to an understanding that whenever his plants get out of control in my garden I can cut them back, but that he will also trim them more often. In most cases it will go like that, the minority of when it doesn't go like that, you start filtering / whatever, just like we do now. Regards, JP Velders
|