On Thursday, December 31, 2015 10:25 PM, Randy Bush wrote: > ... > and, in the meantime, ietf idealists can continue to blame operators, > operators can continue to blame vendors (and ietf idealists), and > vendors can ask where the cash comes from. and therein lies the > disconnect. the pain is far removed from the basic causes. this > generally does not work out very well. It is pretty clear that BCP 38 is not being deployed because the incentives are not there. Implementing ingress filtering on the current hardware doubles the per packet processing time, and that's certainly a disincentive for operators. It also creates new failure modes for ISP serving multi-homed customers, and that too is a serious disincentive for operators. In short, BCP 38 requires operators to increase their cost of operation in order to protect "the whole Internet" against some forms of attacks. We can call it tragedy of the commons or whatever, but the reality is that this kind of mandate almost never gets deployed. I can think of only one example of such mandates actually being enforced - the fight against "open mail relays" a dozen years ago. The self-appointed Internet police, or vigilantes, detected SMTP relays that could forward spam, shamed them, and blacklisted them until their fixed their setup. The relay operators could fix their operation, or face customer complaints that their mail was being rejected. It was bitter, but there are very few open mail relays left operating now, so in a sense we could say that vigilantism did work. On the other hand, it is not like spam disappeared. I shudder at the idea of vigilantes trying to enforce BCP-38 that way. Randy gently pointed out the disconnect between operators and idealists. An enforcement campaign complete with blacklists and BGP blocks would do wonders for that disconnect! Besides, it would only work if we could also secure BGP, another interesting problem. And even if it "worked," it would probably not stop denial of service attacks, just like shutting down open mail relays did not fix spam. The realist view is thus to deprecate BCP-38. We tried, and we now know that it cannot be deployed, and certainly cannot be relied on to stop attacks. We already design new protocols with the assumption that the source IP address can be forged. Let's fix the old ones. And in particular, let's fix DNS implementations so they cannot be used as DDOS amplifiers! -- Christian Huitema