Tier 2 ingress filtering

• Previous message (by thread): Tier 2 ingress filtering
• Next message (by thread): Tier 2 ingress filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On (2013-03-28 13:07 -0400), Jay Ashworth wrote:

> The edge carrier's *upstream* is not going to know that it's reasonable
> for their customer -- the end-site's carrier -- to be originating traffic
> with those source addresses, and if they ingress filter based on the 
> prefixes they route down to that carrier, they'll drop that traffic...

Question is, is it reasonable to expect customer to know what networks they
have.
If yes, then you can ask them to create route objects and then you can BGP
prefix-filter and ACL on them. I do both, and it has never been problem to
my customers (enterprises, CDNs, eyeballs).

But if your customer has many other transit customer it can quickly become
less practical. I'm sure for many/most customers of tier1 it would not be
reasonable expects to keep such list up-to-date.

You can't do it at top-level nor it's not practical to hope that some day
BCP38 is done in reasonably many last-mile port.
But there are only 6000 non-stubby networks, if you do it at network before
stubby network, it's entirely practical and maintainable, provided we'd
want to do it.

-- 
  ++ytti

• Previous message (by thread): Tier 2 ingress filtering
• Next message (by thread): Tier 2 ingress filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]