[dns-operations] Configurable TC=1?
Mark Andrews
marka at isc.org
Wed Dec 23 22:00:52 UTC 2015
In message <D2A07943.12480%edward.lewis at icann.org>, Edward Lewis writes:
>
> On 12/21/15, 16:58, "dns-operations on behalf of Paul Vixie"
> <dns-operations-bounces at dns-oarc.net on behalf of vixie at tisf.net> wrote:
>
> >when planning defense, it's best to think at least one step ahead.
>
> I've been following this thread form afar. The above sounds good on paper
> but trying to be one step ahead implies there is a set of rules of
> engagement. I'd optimize to play to one's strengths. That's why I've
> pinned hopes on figuring out how to better manage the transport layer.
>
> >
> >the right way to incentivize more BCP38 deployment.
>
> Given the fairly unmanageable state of global routing (especially when it
> comes to securing it), I won't hold my breath waiting for universal
> deployment of BCP 38. Nice if it happens, but I wouldn't rely on it
> happening.
Encouraging all DSL and Cable forum members to have *all* equipment
they produce support BCP 38 filtering at line rate is a good way
to start. This may already be being done. This gets rid of the
"it costs more to buy BCP 38 filtering capable equipment" excuse.
If is doesn't support "BCP 38 filtering" it doesn't get the stamp
of approval.
Encourage the developement of secure methods to add automatic exceptions
to filters. We have SIDR. Leverage that to say "add a exception for this
block of addresses we have been assigned".
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list