[NANOG] Re: How can the IP spoofing problem be solved within a country?

[Barry Greene via NANOG <nanog () lists nanog org>]

"What is the exact optimum solution?”

You build SAV into your architect. It is that simple. Start with the end in mind - ensure no packet leaves your part of 
the network if the IP source does NOT equal the IPs allocated to that network.

It it does, you have FAILED as a network architect. 

People get caught up with the widgets you might use to achieve your archectural goals. How you do SAV depends on what 
you are building. What I would do on a 4G/5G architecture is different from an edge rack on a cloud/edge network which 
is then different from an office enterprise, which is different from a broadband provider which is different from my 
home network which is different from ……

Taygun, people get all tided in knots debating on which is best - the nail, the wood screw, the bolt, the clamp, wood 
glue, duct tape  …. All to connect to piece of wood together.  Do not get lost in ’SAV widget debate.’ 

Focus on the regulatory requirement for networks to have SAV be integral to the network architecture. Yes, “regulator 
requirement” .. just like civil engineering architecture requirement to ensure a building is safe. It is the only way 
you are going to break the 80/20 problem. We reached 80% SAV deployment back in 2012 (see 
https://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/). People didn’t like my post, but it was 
reality. CAIDA got some funding to move the Spoofer project and do another year, but then that money disappeared. 

If you want  Türkiye to deploy SAV effectively, then you go to the Telecom Regulator and ask for them to make it a 
licensed requirement. They do not need the knowledge of the “technical SAV widgets,” they just say - no spoofed 
packets.  


_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/AOI6DXPG7DCMEH2RVIPXYV7P2KNFSTD2/