Re: BCP38 Deployment

[Sean Donelan <sean () donelan com>]

The power of defaults.

The few successful Internet security "best practice" changes have 
primarily resulted from changes to default settings, not trying to get 
ISPs, operators, sysadmins or users to change.

Smurf attacks - change default directed-broadcast settings in dominant 
router vendors

Open SMTP relays - changed default SMTP server settings in dominant SMTP 
software sources/vendors

Windows network-level worms - changed default Windows XP/SP2 firewall 
settings to closed inbound

Although it may take 10+ years for a product replacement cycle (Windows 
XP is taking a longer), the same laziness/money/ignorance reasons why 
its nearly impossible to get people to implement "best practices" is why 
a change to the default settings is so effective.  The few times the new 
default doesn't work, the operator then has an incentive to change it. 
The times the default doesn't impact the operator, there is no incentive 
to change it.

Expecting an average person (ISP, sysadmin, programmer, etc) to discover 
and understand many obscure configuration options which don't directly 
impact what they want to do isn't realistic.  People tend to not 
pro-actively look for problems until it causes them a problem.  Even
worse, systems tend to revert back to defaults when a mistake or change
to unrelated parts of the system are made without the user/operator
realizing it.

The "experts" are the people who created the open source software or 
vendors creating the product, not the users/customers.

SSH is a rare example where operators pro-actively sought and changed
their behaivor; but even then, there were probably more operators that 
went with the default.