Do you mean something by "break" a network that is distinct from the game theoretic distinction Vixie is already drawing?
Are you talking about something specifically technical like VPN technologies, or something entirely different? It's not like the ocean of CPE devices Vixie references are all trying to advertise BGP routes.
I'm specifically not talking about CPE devices. Nobody cares about the network configuration on a 2Wire gateway.
I spent several years working on backbone DDoS stuff (I was the lead dev at Arbor Networks for Peakflow DoS, starting at version 2) and I remember large networks having trouble getting address verification working non-disruptively. Of course, the tool they had for it at the time was reverse path filtering; maybe things have gotten better since then.
My credentials involve being there when everyone hated SCO. I commented on the only other thread in this post because it's a legitimately good question: Who is Paul Vixie trying to convince here, and of what?
It seems that RRL can be applied simply to other stateless non-DNS protocols. My interpretation of Vixie's argument is that adding RRL to the majority of stateless protocols is marginally less impossible to implement than global SAV.
The question of pluralities versus majorities really matters when examining techniques. Bringing game theory into it really seems to help. e.g. Why bother figuring out a better method than reverse path filtering, if you require 2/3 of the global network to adopt the technique before the benefit kicks in?
First: Vixie is in the middle of this amplification stuff because he's one of the Internet's foremost lobbyists for the most convenient amplifier of all (DNS->DNSSEC). So maybe he's just, like: "I'm tired of responding to people's claims that DNSSEC is going to make DDoS earlier and instead would prefer to rewrite the terms of the debate so that the presumption is everyone was supposed to have this rate-limiting band-aid all along".
Second: Don't overthink it. He's got a slot in ACM Queue, so maybe he just wanted to fill some column inches. "Free associate: what am I thinking about right now."
Third: This is all pretty silly. Even if you got global deployment of address verification AND every stateless protocol was rate-limited, it would still be trivial for attackers to launch vicious, debilitating DDoS attacks.
1) It's extremely difficult to reason about (DNS -> DNSSEC) in terms of a DDoS considering how many security protocols assume NTP exists.
2) I'm not, but this was posted 18 months ago, so I'm just thinking about the "global discussion" in general.
3) The fundamental argument Vixie is making is about tradeoffs. The impossibility of global SAV is an argument in favor of the difficulty of widely deployed RRL. It is an argument of spending the effort on something that might be accomplished.
Are you talking about something specifically technical like VPN technologies, or something entirely different? It's not like the ocean of CPE devices Vixie references are all trying to advertise BGP routes.