BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]

Tony Tauber ttauber at 1-4-5.net
Tue Feb 4 22:14:40 UTC 2014

On Tue, Feb 4, 2014 at 1:47 PM, <Valdis.Kletnieks at vt.edu> wrote:

> Can somebody explain to me why those who run eyeball networks are able
> to block outbound packets when the customer hasn't paid their bill,
> but can't seem to block packets that shouldn't be coming from that
> cablemodem?

The DOCSIS spec has source address verification (as I understand it, for
about a decade.)
It is deployed within at least one large cable access provider network I am
familiar with (though I don't personally work on the DOCSIS side of things).

Why don't enterprises, hosting and cloud providers do it?  (I don't know
that they don't, but I figured I'd just keep with the tone.)
Enterprises know what prefixes they have so should drop outbound packets
with source IPs other than those, right?
Likewise hosting providers ought to put in some safeguards.
What about cloud providers who also provide virtual OSes and other
Are those VMs and their third-party software kept patched?

All those folks also provide access at the network edge.


More information about the NANOG mailing list