Tier 2 ingress filtering
Jay Ashworth
jra at baylink.com
Thu Mar 28 17:07:24 UTC 2013
In the current BCP38/DDoS discussions, I've seen a lot of people suggesting
that it's practical to do ingress filtering at places other than the edge.
My understanding has always been different from that, based on the idea
that the carrier to which a customer connects is the only one with which
that end-site has a business relationship, and therefore (frex), the only
one whom that end-site could advise that they believe they have a valid
reason to originate traffic from address space not otherwise known to
the carrier; jack-leg dual-homing, for example, as was discussed in still
a third thread this week.
The edge carrier's *upstream* is not going to know that it's reasonable
for their customer -- the end-site's carrier -- to be originating traffic
with those source addresses, and if they ingress filter based on the
prefixes they route down to that carrier, they'll drop that traffic...
which is not fraudulent, and has a valid engineering reason to exist and
appear on their incoming interface.
Fixing that will require the construction of an entirely new tracking system
at the Tier 2, which is not really the case for the Tier 3 edge carrier,
as I see it - you generally just turn unicast-rpf on for everyone's port,
unless you have a signed waiver in your file cabinet, in which case
you turn it off.
Am I missing something?
Or is the overarching problem large enough that people are willing to
throw the baby out with the bathwater?
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
More information about the NANOG
mailing list