[dns-operations] Configurable TC=1?

Roland Dobbins rdobbins at arbor.net
Thu Dec 24 02:06:05 UTC 2015

On 24 Dec 2015, at 5:00, Mark Andrews wrote:

> Encouraging all DSL and Cable forum members to have *all* equipment 
> they produce support BCP 38 filtering at line rate is a good way
> to start.

And enabled by default - concur 100%.  This is a portion of the topology 
in which source-address validation by default won't break the world.

But it's important to keep in mind that a substantial proportion, if not 
an outright majority, of reflection/amplification attacks appear to be 
initiated from compromised servers in IDCs.

My contention is that making Ethernet access ports default with DHCP 
Snooping and IP Source Guard/SAVI or an equivalent enabled may well  
doable, without breaking the world.  VMotion and similar mechanisms 
would have to be taken into account - that's the most significant 
corner-case (there are others, but they're relatively rare), AFAICT.

Another area that needs improvement is broken CPE which will merrily 
pass along unmodified packets marked with source addresses beyond the 
configured private NAT scope.  This isn't a gigantic problem, but should 
be included for the sake of completeness, along with the manifold other 
problems, including abusable services enabled by default, in the CPE 

Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list