Tier 2 ingress filtering

Thu Mar 28 21:21:31 UTC 2013

Yeah, that's what I meant: ingress filter all edge connections except maybe BGP, and accept optout requests.

Valdis.Kletnieks at vt.edu wrote:

>On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
>> ----- Original Message -----
>> > From: "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu>
>> > For 5 9's worth of eyeball networks hanging off consumer-grade ADSL
>and cable
>> > connections, it's still the edge and still trivially filterable. If
>that's a
>> > problem, the ISP can upsell a business-class connection that
>doesn't
>> > filter. ;)
>>
>> C'mon guys: the edge is where people who *source and sink* packets
>> connect to people who *move* packets.  There may be some edges
>*inside*
>> carriers, but there is certainly an edge where carriers hook up
>customers.
>
>Exactly - packets leaving Comcast's network and going to another tier
>1/2,
>the receiver may have a hard time figuring out if the packet is legit
>or not.
>But it's trivial for Comcast to tell whether the packet that just came
>out
>my cablemodem is consistent with what their DHCP server told my CPE.
>(For the record, the last time I tried running the spoofer.sail stuff
>on my home gear, it was totally unable to sneak a packet out, so at
>least
>part of Comcast does this right).
>
>And the fact that there's places where it *is* hard to deploy isn't an
>excuse
>for not doing it in the 98% of places where it's a slam dunk.
>
>> And no, this should apply to business-grade connections as much as
>resi.
>
>Oh, I was intending *those* would be filtered by default as well, but
>you
>could request an opt-out if you were trying to do multi-homing on the
>cheap
>as some people have suggested (similar to blocking outbound 25 by
>default,
>unless the user actually has a mail server).

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.