As a very early starting point, having scanned the ietf BCPs, I table the following. I believe we need to consider both what the requirements should be, and also what incentives there might be for compliance. I suggest the emphasis should be on satisfying the world at large that the Internet community encourages its members to behave responsibly. A secondary objective might be education for new operators. ========================================== RIPE Implementation Requirements 1. INHIBIT ADDRESS SPOOFING 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for: 1. Single host 2. Non-Transit subnet 3. Registered sub-network transit (tell ISP of additional address spaces) 4. Open Transit (restrict to BGP?) 5...... 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs 1.3 [Consider] TCP/UDP/SCTP.... port filtering Accept DNS replies (src port 53) only from customers requesting DNS support. Block dest port 53 toward non-hosting clients. 2. POLICIES FOR PEERING Register External Routing Policy in RIPE Db. Ask Peers to comply with this doc (? Inter-RIR ?) ? Apply route filtering At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking 3. DNS POLICIES ?rfc 2870 (BCP 40) ?rfc 2219 BCP 17 ?rfc 2182 BCP 16 4. POLICIES FOR EMAIL ?rfc 2505 (BCP 30) Steve Nash 17 June 2013 steve.nash@theiet.org ================================