On Sat, 9 Jun 2001, Bill Royds wrote: > If they sell routing services, they must only route for source > addresses they control. They are not looking at the content of the > packets but at the envelope (headers). This is where they, like other > common carriers, are responsible. When a telephone company sets up a > long distance call, it is responsible that the Caller ID is either > correct or blank. But they can't let it be for an exchange that they > don't run. But in that case the CNID signal is supposedly generated out of band, and generated by the carrier's equipment. In this case, the customer is generating the signaling. > If the ISP allows non-standard practices (and now with RFC, egress > filtering is recommended standard), then it is responsible for illegal > use of its practices. To be covered by common-carrier laws, one has to > follow standard common carrier protocols. Lots of RFCs are violated every day- some of them for very good reasons. If we're to codify RFCs as carrier law, there's probably not an ISP on the planet who wouldn't be the target of multiple lawsuits. Anyway, your terminology is wrong- it is not a _standard_, standards documents are preferaced with STD, and that's important when discussing carrier responsibilities and legal enforcement. Indeed from the text of RFC 2267: "This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited." and "All providers of Internet connectivity are urged to implement filtering described in this document to prohibit attackers from using forged source addresses which do not reside within a range of legitimately advertised prefixes." Note that the term "urged" isn't the typical community "must" language of most other RFCs that have pieces which should not be violated in implementation. Also under Liabilities: "Filtering of this nature has the potential to break some types of "special" services" Seems to indicate that an ISP may draw liability from implementing the recommendations to the detriment of its pre-existing contracts or level of service agreements. I doubt that there's not a defense attourney in the country who couldn't defend against such a suit. In any case, the RFC really is about backbone providers doing ingress filtering on their backbones, and I'm saying that the best solution is egress filtering at the leaf nodes. Best because (a) it distributes the performance out to where it's managable, and (b) because it distributes the proteciton out closer to the source of the illegitmate packet generation. That makes it signifcantly easier and more possible to implement for infrastructures with significant mulihomed points of presence and for places that are aggragating signifcant ammounts of layer 2 data prior to moving it to a layer 3 device (see a.) Unless I've missed another filtering RFC in there somewhere? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]