> On Sep 12, 2016, at 1:59 PM, Florian Weimer <f...@deneb.enyo.de> wrote: > > * Mel Beckman: > >> If we can't police ourselves, someone we don't like will do it for us. > > That hasn't happened with with IP spoofing, has it? As far as I > understand it, it is still a major contributing factor in > denial-of-service attacks. Self-regulation has been mostly > unsuccessful, and yet nothing has happened on the political level.
IP spoofing filtering is more of a technical issue than the social issue of BGP filtering. BGP filtering is feasible in hardware and software today. You can put a 600k line config on most devices without issues, and automate policy generation with a tool like bgpq3 or similar. Most hardware requires a recirculation of the packet to do a lookup on the source IP address. This means halving your NPU performance of something that hasn’t been in the 40 bytes per packet range for quite some time. - Jared