NSPs and filters
Alan Hannan
alan at mindvision.com
Sun Jul 13 04:53:51 UTC 1997
jl> I'm not saying UUNet should install whatever filters I want on their
jl> routers. I'm just saying the net would be a MUCH nicer place if NSP's all
jl> did ingress filtering on their customer connections. If current routers
jl> can't handle the load this would create, then NSP's need to find vendors
jl> willing to deliver the necessary power, or they need to rethink the way
jl> they design their networks.
randy> Most of my customers have customers who in turn have
randy> customers, not a few of whom are multi-homed. Same for
randy> UUNET, ...
randy> So, at POP X, I take in maybe 100 prefixes, with maybe 1000
randy> at some POPs. How do I build and maintain that filter list,
The same way you build and maintain routing filter lists for the
prefixes you take in.
You do use routing filter lists, don't you?
It should be the same list of networks.
randy> and how long does it take each packet to get through it with
randy> a router that also does real routing?
Therein lies the argument.
Do the huddled masses want things that move packets or things that make
judgements on them? Difficult to have both.
I don't think the world is yet able to technically support security
within the infrastructure that provides transit. It needs to be
at a separate layer, or on the fringe.
The economies of today's customer aggregation routers do not
allow a person to invest in that functionality inherent in the
router. (yes, they could, but that cuts into the company's bottom
line, and as there really isn't that big of an outcry or decrement
in QOS of the company's IP product, why would they?)
Accordingly, one must rely upon reactionary security folk to track
down the attacks of bogus packets. Significant investment should be
made and supported in building automated response systems and scripts.
Should the USPS forbid mail with bad return addresses?
-alan
More information about the NANOG
mailing list