[dns-operations] universal deployment of BCP38 and won't/can't semantics

Paul Ferguson fergdawgster at gmail.com
Sat Feb 23 02:23:19 UTC 2013


Below:

On Fri, Feb 22, 2013 at 11:45 AM, Jo Rhett <jrhett at netconsonance.com> wrote:
> On Feb 22, 2013, at 10:19 AM, Jim Reid <jim at rfc1035.com> wrote:

>> There's no point arguing the semantics of "don't" and "can't". As Paul mentioned earlier, let's remain realistic. Universal deployment of BCP38 simply isn't going to happen, no matter how much you or I *really want* that. [And I do.] Get over it.
>>
>> Good luck getting an ISP in downtown Mogadishu (say) to sign up to BCP38 and sticking to it.
>
> If their ability to pass traffic requires BCP38 and detected failures will lead to de-peering, it will happen. I've enforced BCP38 within both colocation facilities and large-scale peering. It can happen, and the "fight" has usually been much less than expected. My employers have been tentative about whether they'd risk a legal battle over it, but it has never come to that. And we lost zero, flat zero, opportunities over this unless you count some large spam operators that we turned away for multiple reasons.
>
> Stop saying it won't happen, and push back just a little every day. If enough of us do this, it will come to be.
>
> I am seriously looking for a great opportunity to sue a very large carrier for a failure to implement BCP38, since it very clearly meets the guidelines for "reasonable and expected" that the courts love to use. One very large carrier + one very large settlement, and the other carriers will notice.
>
> It's not impossible. It is hard, but many hard things are worth doing.


As a co-author of BCP38, I am sick and tired of being sick and tired
-- it is a good idea and we still need to push on this.

And with regards to DNS amplification attacks I have a new way to do
things I would prefer not to do -- spend more time flying around the
world explaining to people how to stop being bad stewards in the basic
hygiene of the Internet.

If anyone can find some fault in that, then you are not part of the
solution. Period.

- ferg



-- 
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com



More information about the dns-operations mailing list