A couple of days ago, I came up with a thought about the ideal way to get ISPs to actually deploy BCP 38 (aka “don’t let out traffic with source addresses that are spoofed to be from elsewhere”).
The good news is that it’s appropriately evil enough that folks I mentioned it to last night really appreciated it.
The bad news is that it involves legislation, and it impacts folks with deep pockets, so will never get passed without being corrupted to, at the very least, have severe side-effects, and more likely accomplish the opposite of that which was intended. Note that this is a consequence of the flawed legislative system in place, not a consequence of the proposal.
The Proposal: ISP carrier liability immunity is only applicable to traffic which is entirely within their network, or entering their network from outside, or leaving their network with a source address, as directly visible to their routers, which is allocated to them or for which appropriate contracts are in place.
You leak traffic with spoofed addresses? Well, you have no immunity for anything that traffic is doing.
Guess what? If you implement BCP 38 filtering, you’re back to being safe.
VPNs and tunnels? You’re only responsible for the outer layer.
Multi-homed customers? That’s fine, you have contracts.
Want to make things nicer for operational cleanliness and help reduce the likelihood of more hijacking such as Pakistan messing up Youtube?
Proposal 2: ISP carrier liability immunity for traffic leaving their network is limited to traffic for which appropriate operational routing databases have correct information about the source address blocks.
-The Grumpy Troll