[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

[Ross Wheeler]

On Mon, 29 Feb 2016, Jeff Young wrote:

> Ignorance and apathy are the key reasons we don't have near-universal 
> source-address validation.  I'm not apologizing for anyone - you know 
> very well that I advocate for implementing source-address validation, as 
> you've seen/heard me talk about it many times before.

As much as I completely agree with it in principle, and have done it here 
as a matter of course over the last couple of decades, there were (and 
probably still are) some exceptions.

One notable one was some of the early satellite days, where a clients PC 
"had to" send out spoofed packets (which "had to" traverse my network), in 
order for the reply packets to come back over the satellite path. (Yes, 
this was back in the dark ages of modem-backchannel satellite-downlink). 
It added nontrivial complexity at our end, and required more network 
understanding than "some" of the other ISPs could manage. When we first 
encountered it, the satellite peoples "instructions" to us were to "just 
turn off that stupid requirement - it makes everyones life harder and just 
slows down the internet for everyone" and besides, nobody else was doing 
it so why was I so "special"?

One size definately doesn't fit all, but I certainly think it should be 
done as a matter of choice and "best practice", because we WANT to do it, 
not because of more unnecessary regulation thrust upon us. It's also 
arguably easier to do it further towards the (customer) edges of our 
networks than closer to the core, because towards the edges there's 
generally less packets per device, and those devices are more likely to 
know what addresses they SHOULD be seeing.

R.