Greetings,
When I was teaching CIS classes at a local Community College, when we
would cover Firewalls I always taught them to NOT be the reason someone
else is suffering Distributed Denial Of Service (DDOS) attacks. And the
way to do this was to follow the "Best Common Practibe 38" (BCP-38) found
in the RFC's, to NEVER send out any packets that don't have a SOURCE
ADRRESS that is one within your own network. NEVER spoof a source address
that is not your own.
http://www.bcp38.info/index.php/Main_Page
--- Jay Nugent WB8TKL
o Retired
o Had a nice career at Washtenaw Community College,
Nugent Telecommunications, ANS/NSFnet, AOL, GTE Telenet,
Bell Northern Research, Northern Telecom, and others...
On Sat, 5 Apr 2025, Barry Greene via NANOG wrote:
"What is the exact optimum solution?”
You build SAV into your architect. It is that simple. Start with the end in
mind - ensure no packet leaves your part of the network if the IP source does
NOT equal the IPs allocated to that network.
It it does, you have FAILED as a network architect.
People get caught up with the widgets you might use to achieve your archectural
goals. How you do SAV depends on what you are building. What I would do on a
4G/5G architecture is different from an edge rack on a cloud/edge network which
is then different from an office enterprise, which is different from a
broadband provider which is different from my home network which is different
from ……
Taygun, people get all tided in knots debating on which is best - the nail, the
wood screw, the bolt, the clamp, wood glue, duct tape …. All to connect to
piece of wood together. Do not get lost in ’SAV widget debate.’
Focus on the regulatory requirement for networks to have SAV be integral to the
network architecture. Yes, “regulator requirement” .. just like civil
engineering architecture requirement to ensure a building is safe. It is the
only way you are going to break the 80/20 problem. We reached 80% SAV
deployment back in 2012 (see
https://www.senki.org/everyone-should-be-deploying-bcp-38-wait-they-are/).
People didn’t like my post, but it was reality. CAIDA got some funding to move
the Spoofer project and do another year, but then that money disappeared.
If you want Türkiye to deploy SAV effectively, then you go to the Telecom
Regulator and ask for them to make it a licensed requirement. They do not need
the knowledge of the “technical SAV widgets,” they just say - no spoofed
packets.
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/AOI6DXPG7DCMEH2RVIPXYV7P2KNFSTD2/
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/4TV45I7KOLGLCMUJZXF6QYF6FGCUL7TE/
