Request for comment -- BCP38
Mike Hammett
nanog at ics-il.net
Mon Sep 26 16:29:42 UTC 2016
I would assume that on a broadband grade connection it shouldn't work unless you have a niche player and proper LOA.
I would assume that on a BGP level circuit that it would work, again, given proper documentation (LOAs, IRRDB entry, etc.). IRRDBs make this wonderfully easier. By default, deny. Allow whatever is in the IRRDB entry. $250 for manual changes.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
----- Original Message -----
From: "Hugo Slabbert" <hugo at slabnet.com>
To: "Mike Hammett" <nanog at ics-il.net>
Cc: "John Levine" <johnl at iecc.com>, nanog at nanog.org
Sent: Monday, September 26, 2016 11:21:55 AM
Subject: Re: Request for comment -- BCP38
On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett <nanog at ics-il.net> wrote:
>>
>>----- Original Message -----
>>
>>From: "John Levine" <johnl at iecc.com>
>>To: nanog at nanog.org
>>Sent: Monday, September 26, 2016 11:04:33 AM
>>Subject: Re: Request for comment -- BCP38
>>
>>>If you have links from both ISP A and ISP B and decide to send traffic out
>>>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should*
>>>drop that traffic on the floor. There is no automated or scalable way for
>>>ISP A to distinguish this "legitimate" use from spoofing; unless you
>>>consider it scalable for ISP A to maintain thousands if not more
>>>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases
>>>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs
>>>allocated to them by other ISPs?
>>
>>I gather the usual customer response to this is "if you don't want our
>>$50K/mo, I'm sure we can find another ISP who does."
>>
>>From the conversations I've had with ISPs, the inability to manage
>>legitimate traffic from dual homed customer networks is the most
>>significant bar to widespread BCP38. I realize there's no way to do
>>it automatically now, but it doesn't seem like total rocket science to
>>come up with some way for providers to pass down a signed object to
>>the customer routers that the routers can then pass back up to the
>>customer's other providers.
>>
>>R's,
>>John
>>
>>PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.
>>
>Are you talking BGP level customers or individual small businesses'
>broadband service?
I myself am talking about the latter and included the option of PI space to
cover that (although I guess at some point this can be made fly with PA
space from another provider if both providers are willing enough to play
ball), though from the $50/mo figure John listed, I'm assuming he's talking
about the latter.
Do people really expect to be able to do this on residential or small
business broadband networks? I can't remember any time in recent memory
where I assumed I could set a source address to any IP I fancy and have
that packet successfully make its way through the SP's network.
>
>-----
>Mike Hammett
>Intelligent Computing Solutions
>http://www.ics-il.com
>
>Midwest-IX
>http://www.midwest-ix.com
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
More information about the NANOG
mailing list