Source Address Validation Everywhere
source address validation is one of the windmills i've tilted at the most. the problem is so bad that most people who hear about it simply can't believe that the internet could work at all if what i'm saying is true. bad news folks: what i'm saying is true. in addition to many speaking engagements where i have let large audiences in on what ought not be a secret, i've done some writing on the topic, and some technology development. references are below. i also spoke to a reporter on this topic recently, and summarized the story of source address validation as follows:
ultimately i'm calling it a public health/safety hazard and demanding regulation. i'd like to see the world's governments recognize this as a problem and recognize that it's one private industry is uniquely unincentivized to address, but one which affects every citizen's life.i'd like the following steps to be seriously considered.
- civil penalties for contributory negligence when a non-SAV network is
used as a ddos launch point that causes public or private harm.- securities/exchange laws making SAV an audit checklist item for every
public company including both commercials and nonprofits.- ISO 9000 and/or 27000 terms of reference for this, so that buying
insurance is harder if your network isn't doing SAV.- USG, as the largest i.t. buyer in the world, should stop buying
services from companies who don't practice SAV.- this should become an ITU treaty term. any country who values its
call termination fees should be required to enforce SAV as local law.and so on. right now this is the biggest problem on the internet but private industry is ignoring it and the public and government doesn't know anything about it. this is the internet's version of global warming, except there's no dissent as to the problem or its solution.
let's be excellent to each other, ok?
references:
- vixie's blog
- 13665 reads