[JoshTriplett]

> Which means, if you just find one transit provider which doesn’t do BCP38 filtering… you can send IP packets tagged with any source IP you want! And unfortunately, even though the origins of BCP38 date back to 1998… there are still network providers 25 years later that don’t implement it.

What would it take to get enough network providers to start rejecting traffic from all ASes that don't implement this, so that spoofing was no longer possible?

[benlivengood]

Cloudflare is probably enough. They already control enough ingress that their "checking the security of your connection" could actually mean something.

[toast0]

You'd have to find some way to make network providers care. Especially 'tier 1' transit providers and other networks of unusual size.

It's much easier to work on reducing reflection multipliers though, because you can scan (ipv4 anyway) for reflection vectors and yell at people that will respond with 10x the input bytes.