Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BCP38 making it work, solving problems

  • From: Daniel Senie
  • Date: Mon Oct 11 18:08:21 2004

At 05:41 PM 10/11/2004, Richard A Steenbergen wrote:

>On Mon, Oct 11, 2004 at 02:58:59AM +0000, Fergie (Paul Ferguson) wrote:
>
> It's better than a sharp stick in the eye, I'll tell ya,
> lad.
>
> Listen to me: It's called a "best current practice" for a
> reason -- people should do it. Not sit and around and endlessly
> discuss it (we've already done that a thousand times).
>
> I wrote it, I stand beside it. I'm sick of hearing why people
> haven't implemented it yet -- it's almost five years later
> and there's simply no excuse. It's sickening.

Tell it to the vendors of the layer 3 customer attach devices. I was just
speaking about this with a major "up and coming layer 2/3 switch vendor"
the other day, who had no implementation or real plans to implement uRPF
in the immediate future. It apears that there are no enterprise customers
asking for this feature (not a shock), despite the fact that they are
probably a leading generator of hacked machines throwing bad packets down
reasonably big pipes.
I've removed the rest of your message, talking about which vendors do or don't have what capabilities. While I agree it'd be nice if more vendors offered automated tools for implementing ingress filtering, such tools are unnecessary in most corporate network cases, thus the lack of corporate customers asking for the feature. In reality every device offering access control lists capable of filtering on source IP address can and does have sufficient capability to implement BCP38.

While I appreciate the desire to have a single switch solution, like was possible with BCP34, it's a bit more complex to do in this case. It is, however, disingenuous to say that devices don't support BCP38 because they don't have an automated widget to implement it. Keep in mind that uRPF is an implementation of BCP38 capability, and other implementations are entirely possible.

This was probably obvious to you, but others reading might find the clarification useful.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.