... Lawrence K. Chen, P.Eng. wrote: > I've been told that we can't implement BCP38 because its actually an egress > filtering....its only ingress from the perspective of the ISP and its > downstream customers....to DNS operators, that the ISPs need to implement. > Since it is to prevent source address that aren't in the netblock of its > downstream customer from being forwarded into the Internet. > > But outside our border is the whole Internet....so as long as the source > address is valid and not us...how would we tell that its being spoofed?
See also <http://archive.icann.org/en/committees/security/sac004.txt> which has a different taxonomy but the same goal as BCP38, and which is directly responsive to your observations above. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
