Tier 2 ingress filtering - folo

• Previous message (by thread): Tier 2 ingress filtering - folo
• Next message (by thread): Google public DNS flapping/non-functional
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On (2013-03-30 11:39 -0400), Jay Ashworth wrote:

> But there's no way for an upstream transit carrier to know that *at the present
> time*.

We expect our customers to mark any customers they have in their AS-SET.
And we filter BGP announcements and we ACL traffic based on that.

I know mandating strict IRR is not practical to everyone today. But for me,
it's practical. Sometimes I need to educate customers how to create route
object or AS-SET.

At least every non-stubby ASN facing stubby ASN should be able to do strict
IRR. This is about 6000 networks. Compared to other options:

1) close recursive name servers
  - even if all are closed, attack vector is virtually the same, as large
    RR can be found in arbitrary authorative due to DNSSEC
  - snmpbulkwalk
  - UDP du jour

2) implement uRPF at last mile
  - hundreds of millions of ports, many of them running on autopilot, good
    chunk of them will never ever support uRPF

Obviously if we could choose 2) it would be best, but we can't choose it.

-- 
  ++ytti

• Previous message (by thread): Tier 2 ingress filtering - folo
• Next message (by thread): Google public DNS flapping/non-functional
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]