Tier 2 ingress filtering
Jay Ashworth
jra at baylink.com
Thu Mar 28 19:27:04 UTC 2013
----- Original Message -----
> From: "William Herrin" <bill at herrin.us>
> So, you represent to your ISP that you're authorized to use a certain
> range of addresses. He represents to his upstream that he's authorized
> to use them on your behalf, and so on.
The former is a first-hand transaction: if you're lying to your edge
carrier, he can cut you off with no collateral damage.
The latter, though, is arms-length, *and* has no reasonable way to be
implemented that I can see without extending whatever OAM&P system
that carrier has atop their gear.
> The reliability of these representations obviously falls at they grow
> distant from the source. So what? That's a problem for RPKI. The
> problem we need concern ourselves with is dropping packets whose
> source addresses are inconsistent with our customer's _representation_
> of the addresses he's authorized to originate, however reliable or
> unreliable that representation may turn out to be.
That's great, but that's a couple orders of magnitude of added complexity
that, quite frankly Bill, I can't sell just now. :-)
Worse (to bring this ontopic for NANOG): that complexity needs to live
*inside routers*, unless I'm very much mistaken.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
More information about the NANOG
mailing list