> > It's not excessive to repeat that, although recommended
> > configurations described in this document could alleviate the
> > problem, the only solution to source address spoofing problems is
> > the wide-scale deployment of Ingress Filtering to prevent use of
> > spoofed IP addresses [BCP38], [BCP84].
>
> Not only it *is* excessive (four mentions in a small I-D) but it is
> not true since there is no notice in the I-D that BCP-38 does not
> prevent intra-provider spoofing.
I don't know may providers that have their network implemented
as a single broadcast domain. BCP-38 can equally be applied
inside a network as at the borders. In fact it is easier
to do it if is applied inside the network. The border filters
then protect the rest of the net from router compromise.
BCP-38 may not stop all spoofing but it will localize the
source of spoofed traffic.
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www1.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
