NSPs and filters

Alan Hannan alan at mindvision.com
Sun Jul 13 04:53:51 UTC 1997


jl> I'm not saying UUNet should install whatever filters I want on their  
jl> routers.  I'm just saying the net would be a MUCH nicer place if NSP's all
jl> did ingress filtering on their customer connections.  If current routers  
jl> can't handle the load this would create, then NSP's need to find vendors  
jl> willing to deliver the necessary power, or they need to rethink the way   
jl> they design their networks.                                               

randy> Most of my customers have customers who in turn have
randy> customers, not a few of whom are multi-homed.  Same for
randy> UUNET, ...

randy> So, at POP X, I take in maybe 100 prefixes, with maybe 1000
randy> at some POPs.  How do I build and maintain that filter list,

  The same way you build and maintain routing filter lists for the
  prefixes you take in.

  You do use routing filter lists, don't you?

  It should be the same list of networks.

randy> and how long does it take each packet to get through it with
randy> a router that also does real routing?

  Therein lies the argument.

  Do the huddled masses want things that move packets or things that make
  judgements on them?  Difficult to have both.

  I don't think the world is yet able to technically support security
  within the infrastructure that provides transit.  It needs to be 
  at a separate layer, or on the fringe.  

  The economies of today's customer aggregation routers do not 
  allow a person to invest in that functionality inherent in the
  router.  (yes, they could, but that cuts into the company's bottom
  line, and as there really isn't that big of an outcry or decrement
  in QOS of the company's IP product, why would they?)

  Accordingly, one must rely upon reactionary security folk to track
  down the attacks of bogus packets.  Significant investment should be 
  made and supported in building automated response systems and scripts.

  Should the USPS forbid mail with bad return addresses?

  -alan




More information about the NANOG mailing list