On Aug 8, 2013, at 1:40 PM, Matthew Petach <mpet...@netflight.com> wrote:
> > > On Thu, Aug 8, 2013 at 10:29 AM, Jared Mauch <ja...@puck.nether.net> wrote: > > On Aug 1, 2013, at 2:31 AM, Saku Ytti <s...@ytti.fi> wrote: > > > On (2013-07-31 17:07 -0700), bottiger wrote: > > > >> But realistically those 2 problems are not going to be solved any time > >> in the next decade. I have tested 7 large hosting networks only one of > >> them had BCP38. > > > > I wonder if it's truly that unrealistic. If we target access networks, it > > seems impractical target. > > > > We have about 40k origin only ASNs and about 7k ASNs which offer transit, > > who could arguably trivially ACL those 40k peers. > > > > If we truly tried, as a community to make deploying these ACLs easy and > > actively reach out those 7k ASNs and offer help, would it be unrealistic to > > have ACL deployed to sufficiently large portion of networks to make > > spoofing impractical/expensive? > > The following is a sorted list from worst to best of networks that allow > spoofing: (cutoff here is 25k) > > (full list - http://openresolverproject.org/full-spoofer-asn-list-201307.txt ) > > > Count ASN# > ------------ > 1323950 3462 > 1300938 4134 > 1270046 8151 > 1213972 9737 > ... > > For the technically clueless among us... > > what does "count" refer to in this output? > How many times you were able to spoof > an address through them? How many > different addresses you could spoof through > them? How many spoofed packets made it > through before being blocked? > > It's kinda hard to know what the list > represents without a bit of explanation > around it. ^_^; Number of unique IPs that spoofed a packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded). If those ASNs are downstream to you, or you are part of that ASN, you can ask for a list of the IPs involved. Either way, if you have 1.2 million hosts, it may be a lot of BCP38 you need to apply. - Jared