> On Dec 31, 2015, at 6:01 PM, Michael Richardson <mcr+ietf@xxxxxxxxxxxx> wrote: > > > Brian E Carpenter <brian.e.carpenter@xxxxxxxxx> wrote: >> That seems worth a bit more discussion. I'd always naively assumed that BCP38 was >> scalable since all it appears to need is a prefix match, and routers are very >> good at matching prefixes; it's just that they don't normally match the source >> prefix. Could some router-vendor person comment on this? > > It's also really really really cheap to do in the CMTS or PPP concentrator, > where for IPv4, it's often not even a "prefix" machine, but a /32 match. > > IPv6 with PD makes it potentially a list... These often aren’t the devices that are a problem. The majority of cable/DSL networks do not permit spoofing. There are external ways to measure this with traceroute and data from things like the OpenResolverProject stuff which I worked on. I can get a $5/mo server or a $2/mo so-called-booter service to launch attacks from. What I often need are better tools to trace back spoofed packets or mark them. The nice thing about most of these attack networks is they respond faster than I can trace and most attacks we see are sub-15 minutes. The incentives are all wrong here and I’d love to talk to people about how to change them. Some locations, eg: Finland have a regulator that does not accept spoofing from the entities they supervise. It’s one approach, but perhaps doesn’t scale to other markets. - Jared