nanog mailing list archives

[NANOG] Re: How can the IP spoofing problem be solved within a country?

From: Christopher Hawker via NANOG <nanog () lists nanog org>
Date: Sat, 5 Apr 2025 16:14:55 +0000

Source Address Validation is one of the key components to preventing spoofing. No network operator should be allowing 
packets to egress their network with source addresses that are external to their network, nor should they allow packets 
to ingress their network that have a source IP address internal to their network. The problem isn't in the 
implementation of BCP38, its network operators failing to do so.


BCP38 technically could cause issues for multihoming networks, however if you are using your own IP space delegated by 
an RIR then it wouldn't be an issue. Where it could cause issues, is when you are using a source address from ISP A to 
send traffic via ISP B and they have strict filtering policies in place.


There is no one single plan as every network is unique. One way to do this would be to filter packets at your border.


Regards,
Christopher Hawker


On Sun, 06/04/2025 02:09 AM, "T. Fırıncı via NANOG" <nanog () lists nanog org> wrote:

Hello I am Taygun,
I am a 23 year old who has been working in cyber security and information
technologies as a hobby for about 13 years.
There are countless people and institutions that have been victims of IP
spoofing attacks that have increased recently in my country (Turkey).
I started researching to find a solution to this problem and offer a
solution to the ISPs and the IT institutions in my country.
After brainstorming in the TRNOG group in Türkiye and on LinkedIn, such as
NANOG, I thought that bcp38 could be a solution, but some people said that
this solution would create a problem in multihome networks. What is the
exact optimum solution? Where should I look? How can I create a plan that
can be presented to the necessary places?
Currently, all existing or old ISPs and datacenters in Türkiye have
completely lost hope in resolving the problem.

References:
https://www.linkedin.com/posts/taygun-firinci_son-zamanlarda-servis-sa%C4%9Flay%C4%B1c%C4%B1lar-ve-datacenterlar%C4%B1n-activity-7313531773399842816-sOCz
https://spoofer.caida.org/recent_tests.php?as_include=&country_include=tur&no_block=1
Best Practices for Deploying SAV:
https://manrs.org/2023/04/why-is-source-address-validation-still-a-problem/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/KXTZVI2FY4IKPTFSBM4353TAE7JCVXEF/



_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HQQ7EK4GWSXMEEA55IEDXTHTSQSQG37D/

Current thread:

[NANOG] How can the IP spoofing problem be solved within a country? T . Fırıncı via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Tim Howe via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Christopher Hawker via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? William Herrin via NANOG (Apr 05)
  - [NANOG] Re: How can the IP spoofing problem be solved within a country? Hank Nussbacher via NANOG (Apr 05)
    - [NANOG] Re: How can the IP spoofing problem be solved within a country? firincitaygun--- via NANOG (Apr 06)
    - [NANOG] Re: How can the IP spoofing problem be solved within a country? Compton, Rich via NANOG (Apr 07)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Barry Greene via NANOG (Apr 05)
  - [NANOG] Re: How can the IP spoofing problem be solved within a country? sronan--- via NANOG (Apr 05)
    - [NANOG] Re: How can the IP spoofing problem be solved within a country? Barry Greene via NANOG (Apr 05)
  - [NANOG] Re: How can the IP spoofing problem be solved within a country? Jay via NANOG (Apr 06)