nanog mailing list archives
[NANOG] Re: How can the IP spoofing problem be solved within a country?
From: Hank Nussbacher via NANOG <nanog () lists nanog org>
Date: Sun, 6 Apr 2025 08:04:40 +0300
On 06/04/2025 1:40, William Herrin via NANOG wrote: Based on the Spoofer project: https://spoofer.caida.org/country_stats.php https://spoofer.caida.org/recent_tests.php?country_include=tur the problem is diminishing constantly. Regards, Hank
On Sat, Apr 5, 2025 at 8:07 AM T. Fırıncı via NANOG <nanog () lists nanog org> wrote:I thought that bcp38 could be a solution, but some people said that this solution would create a problem in multihome networks.Hi Taygun, BCP 38 works great on multihomed networks. Where it doesn't work is: 1) Large core peering scenarios where an ISP trades routes with another ISP and has to take that ISP's word for it that the offered routes are valid. 2) The customer side of Internet Transit service where the customer has to take the ISP's word for it that the presented routes are legitimate. What _does not_ work in multihomed networks is Reverse Path Filtering. You have to explicitly filter the routes and source IP addresses your customer has authenticated to you. You can't rely on their route advertisement to tell you what packets are legitimate because BGP routing tends to be asymmetric: packets in one direction often follow a different path than packets in the other. Strict RPF breaks multihoming and loose RPF falls far far short of meeting BCP 38's filtering requirement.What is the exact optimum solution?Depends on your source of authority. If you're constructing a government mandate then you require anyone selling Internet service in Turkey to implement BCP 38 on every paid Internet connection. That means egress filtering everywhere they buy transit or peering service inside or outside of Turkey and ingress filtering everywhere they sell Internet service inside and outside of Turkey. And you set large and escalating fines for every incident where the ISP is found to be in non-compliance. Then you sit back and let capitalism do what it does best: optimize for cost. If you're talking about voluntary industry action... give up. The BGPSEC effort fell apart and the people who care about BCP 38 already implement it. Regards, Bill Herrin
_______________________________________________NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/TW3OVQKQOBT774TFRVFV27FDGELLJDJM/
Current thread:
- [NANOG] How can the IP spoofing problem be solved within a country? T . Fırıncı via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Tim Howe via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Christopher Hawker via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? William Herrin via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Hank Nussbacher via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? firincitaygun--- via NANOG (Apr 06)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Compton, Rich via NANOG (Apr 07)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Hank Nussbacher via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Barry Greene via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? sronan--- via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Barry Greene via NANOG (Apr 05)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? Jay via NANOG (Apr 06)
- [NANOG] Re: How can the IP spoofing problem be solved within a country? sronan--- via NANOG (Apr 05)