peering requirements (Re: DDOS anecdotes)

Paul A Vixie vixie at mfnx.net
Tue Jun 26 21:52:20 UTC 2001


> is the acl for large peers 2 known and loadable into routers?

no.  not now, not ever.

> i am not comfortable with the assumption that my peer must have similar
> agreements with all their peers.  heck, if i did, then, aside from the
> business issues (you gonna force att/cw/sprint/uu/... how to coduct their
> peering policy?) how does all this bootstrap?

that's it.  you've put your finger on the knot.

> so we have two problems with this
>   o we can't tell big peers how to conduct their business

maybe, maybe not.  it depends on whether the cost of not doing it outweighs
the cost of doing it.  big peers are big because they run successful and for
the most part profitable businesses.  and sure as hell the cost of not doing
this is going up quickly, while the cost of doing it is coming down slowly.
(have the lines crossed yet?  let's find out!)

>   o source filtering at high bandwidth

i consider this nonsoluable.  some routers can already do it, but making the
ownership and deployment of such routers be the minimum price of entry into
the peering game is a fatal nonstarter of an idea.  and the infrastructure
for expressing netblock ownership in a way that could be used to build
accurate and reliable filters (assuming the routers could load such filters
and act on them at wire speed) isn't there.  i think this way lies madness.

source filtering is an edge problem, at current technology levels.  but how
to ensure that other people do it at THEIR edge is a separate problem from how
to do it at YOUR edge.  the former is social/economic, the latter is technical.



More information about the NANOG mailing list