North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: an effect of ignoring BCP38

  • From: David Sinn
  • Date: Fri Sep 05 18:36:54 2008 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think you will get any argument that the vast majority of CS departments teach theory and not as much valid practice when it comes to networking. Though, being formally at the UW, I can tell you that they wouldn't have been able to spoof on the campus or through it's upstream (which we also ran).

That being said, I think another area that BCP38 is going to run into problems with is IPv6. Given that host are multi-addressed from day one and nominally follow a default route for returning traffic, they can easily appear to "spoof" perfectly valid traffic (6to4 in, native out for example). While some can be made as exceptions (6to4), some won't be done so easily without some implementation changes.

And that's not even touching on the holes in RPF checks on Cisco (no feasible) or Juniper (not quite as feasible as is really feasible) platforms.

David

On Sep 4, 2008, at 10:22 PM, [email protected] wrote:



seems that some folks in the R&E community, with institutional support
from Cisco, Google, and the US NSF, are exploiting our inability to
take even rudimentary steps toward providing a level of integrity in
routing by teaching students that spoofing IP space is ok.  This whole
thing works at all because so few people use/deploy/maintain BCP-38
compliance.  This was an eye-opener for me.

http://www.caida.org/workshops/wide/0808/slides/measuring_reverse_paths.pdf


--bill 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkjBtHoACgkQLa9jIE3ZamPYzQCgu2OdDu8/Uq896ffcJZjSX7X8
6jgAnR7iZFiRAsxN6+qn64ZVYIcNy1hy
=E20v
-----END PGP SIGNATURE-----