Hi,
>>> Why are ISPs so uncooperative?
>>> Isn't it in *their* best interest as well to limit needless
>>> bandwidth on their networks?
>>
>> ONLY if the ongoing cost of filtering out that bandwidth is less
>> than the ongoing cost of owning the extra capacity to carry it. And
>> I'd bet that the latter always comes out negligible....
>> [This assumes, of course, that they define "best interests" in
>> terms of the quarterly bottom line.]
>>
>
> Great point. Isn't that also the case with just about everyone in the
> chain? Everyone needs to make some effort and take some of the
> responsibility for securing systems/networks.
I've been working in several ISP environments during the last years. I've
not found one where ingress filtering as described in RFC 2827 was in place,
not even for the customer dial-in segments [where problems with asymmetric
routing would not occur]. If everybody implemented it, at least attacks
based on spoofed source adresses would be a bit harder...
Go ask your ISP's technician, if he ever heard of 'ip verify unicast
reverse-path'.
At most ISPs the golden calf is availability & bandwidth. Do _not_ think
they're much interested in security. That may be a result of the strong
competition in that area...
And I suppose there are also lots of corporate/university/whatever border
routers where this is not implemented either... (at least I know some)...
Regards,
Enno Rey
[EMAIL PROTECTED] --- www.security-academy.de
PGP 74C0 C7E1 3875 E4EB 9B75 8B9D 5E2D 3178 685B F222
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
