Proposal for a RIPE "IP Spoofing" Task Force

On Thu, 2006-04-06 at 16:25 +0200, Daniel Karrenberg wrote:
> Dear colleagues,
> 
> unfortunately DoS amplification attacks are still with us.
[..]

I think it is very good think to have such a working group.

The biggest reason that I heared from various ISP's for not
doing RPF/ingressfiltering etc. is that they claim their
gear doesn't support it, or that it would overload their
hardware too much, thus they don't want to enable it.
Same reason why they don't filter out RFC1918 and other
darkspace in many places.

Still having even 80% of the places doing it takes care of
those 80% places. The other nests can't be controlled anyway.
Getting everybody to cooperate is probably not done.

Maybe a good incentive would be that ISP's would not link
to another network if that other network, but that brings in
a lot of political issues too next too technical ones...

Transit ISP's could of course in those cases filter out their
downstream customers, which is what they should be doing IMHO...

Maybe a "Secure Internet Working" TF is a better idea, then
it can also raise awareness in the future of possible S-BGP/BGP-S
solutions, anti-spam solutions, closing down relays, tracking ddos
bots... oops too many potholes, better focus on one I guess ;)

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 315 bytes
Desc: This is a digitally signed message part
URL: </ripe/mail/archives/ripe-list/attachments/20060406/1081bbb7/attachment.sig>