Tier 2 ingress filtering

• Previous message (by thread): Tier 2 ingress filtering
• Next message (by thread): Tier 2 ingress filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
> From: "Saku Ytti" <saku at ytti.fi>

> On (2013-03-28 13:07 -0400), Jay Ashworth wrote:
> 
> > The edge carrier's *upstream* is not going to know that it's reasonable
> > for their customer -- the end-site's carrier -- to be originating traffic
> > with those source addresses, and if they ingress filter based on the
> > prefixes they route down to that carrier, they'll drop that
> > traffic...
> 
> Question is, is it reasonable to expect customer to know what networks
> they have.

If by "customer" you mean the same thing I do: an end user who sources
and sinks packets, which is fed by some Internet Access Provider... 

then my answer is the same thing it was before: 

"No, but it doesn't matter, because we're talking about ingress filters
on the carrier which provides them with public address space, and *it*
*does* know which network they've been given."

> If yes, then you can ask them to create route objects and then you can
> BGP
> prefix-filter and ACL on them. I do both, and it has never been
> problem to
> my customers (enterprises, CDNs, eyeballs).

You are at least 30,000 feet higher than the conversation I'm having.

BGP-speaking end sites are a whole different matter, and sufficiently
smaller in number (2-5 orders of magnitude, depending on what you sell)
that they're not really pertinent here.
 
> But if your customer has many other transit customer it can quickly become
> less practical. I'm sure for many/most customers of tier1 it would not
> be reasonable expects to keep such list up-to-date.

Correct, and this was the substance of my question.

> You can't do it at top-level nor it's not practical to hope that some
> day BCP38 is done in reasonably many last-mile port.

I don't know that that's true, actually; unicast-rpf does, as I understand
it, most of the work, and is in most of the current firmware.

> But there are only 6000 non-stubby networks, if you do it at network
> before stubby network, it's entirely practical and maintainable, provided
> we'd want to do it.

Your assertion is the thing for which I'm requesting support in this query.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

• Previous message (by thread): Tier 2 ingress filtering
• Next message (by thread): Tier 2 ingress filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]