[Pool] source address verification/filtering for fun and profit

Jim Reid ntp-pool at rfc1035.net
Wed Feb 12 12:30:22 UTC 2014


On 11 Feb 2014, at 18:35, Rob Janssen <rob at knoware.nl> wrote:

>> Widespread uptake of source address filtering is just not going to happen.
> Wasn't that claimed in the days of the open SMTP relay as well?

Nope.

> Yet, the problem was resolved.

Only in part. There are still open relays out there and things like the SORBS blacklist remain active.

Besides, that's a flawed analogy. There were very few MTA implementations in the early days of the Internet. So when sendmail stopped being an open relay by default, that problem largely went away. In any case, there's a world of difference between running a mail server and keeping the packets moving in an operational network that has complex, continuously changing iteractions with many third parties.

I suggest that rather than make sweeping statements here about how simple/quick/cheap/straightforward it would be for everyone to deploy source address validation/filtering, you actually make that deployment happen. A good starting point would be to discuss your plan with the ISPs and hosting companies at your nearest Internet exchange. You won't need to do that on this list so I hope we can now stop this thread here. FYI I have had those sorts of conversations with IXPs and ISPs and it's been explained why "although we'd *really, really* like to do source address filtering/validation there are compelling technical and business reasons for not switching that on".





More information about the pool mailing list