[dns-operations] Having doubts about BCP38 solving the ORN problem

[Fred Morris]

I'm sure this must have been discussed at some point, somewhere.

The premise with regard to BCP38 + open resolvers is that the spoofed
packets reside on different networks than the resolvers. If these
resolvers are primarily CPE and other unmaintained equipment, then it
stands to reason that they reside inside networks containing other
equipment; and this equipment could be the source of the source-spoofed
(DNS) packets.

Reflecting traffic off of an open resolver on one's own network would
serve to cloak the true identity of the originator.

BCP38 filtering on egress from the network is ineffective in such
scenarios because it is based on the assumption that the spoofed packets
are coming in from outside the network (and hence originated as egress
from someone else's network).

If the good guys can map open resolvers, so can the bad guys. (There are
no "black hat" data scientists?)

If we know that spoofed port queries are traversing peering points, then
we know the networks they're coming from. If we don't know that, then see
above; if we can't shame them, see "Maginot Line".

--

Fred Morris