North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: BCP38 making it work, solving problems
- From: Daniel Senie
- Date: Mon Oct 11 18:08:21 2004
At 05:41 PM 10/11/2004, Richard A Steenbergen wrote:
I've removed the rest of your message, talking about which vendors do or
don't have what capabilities. While I agree it'd be nice if more vendors
offered automated tools for implementing ingress filtering, such tools are
unnecessary in most corporate network cases, thus the lack of corporate
customers asking for the feature. In reality every device offering access
control lists capable of filtering on source IP address can and does have
sufficient capability to implement BCP38.
>On Mon, Oct 11, 2004 at 02:58:59AM +0000, Fergie (Paul Ferguson) wrote:
> It's better than a sharp stick in the eye, I'll tell ya,
> Listen to me: It's called a "best current practice" for a
> reason -- people should do it. Not sit and around and endlessly
> discuss it (we've already done that a thousand times).
> I wrote it, I stand beside it. I'm sick of hearing why people
> haven't implemented it yet -- it's almost five years later
> and there's simply no excuse. It's sickening.
Tell it to the vendors of the layer 3 customer attach devices. I was just
speaking about this with a major "up and coming layer 2/3 switch vendor"
the other day, who had no implementation or real plans to implement uRPF
in the immediate future. It apears that there are no enterprise customers
asking for this feature (not a shock), despite the fact that they are
probably a leading generator of hacked machines throwing bad packets down
reasonably big pipes.
While I appreciate the desire to have a single switch solution, like was
possible with BCP34, it's a bit more complex to do in this case. It is,
however, disingenuous to say that devices don't support BCP38 because they
don't have an automated widget to implement it. Keep in mind that uRPF is
an implementation of BCP38 capability, and other implementations are
This was probably obvious to you, but others reading might find the