BCP38 is hard, was TWC (AS11351) blocking all NTP?

John Levine johnl at iecc.com
Tue Feb 4 22:18:21 UTC 2014


>>> If just three of the transit-free networks rewrote their peering
>>> contracts such that there was a $10k per day penalty for sending
>>> packets with source addresses the peer should reasonably have known
>>> were forged, this problem would go away in a matter of weeks.
>>
>> Won't work because no one will sign that contract.

Oh, right, how hard can it be to put a bell on that pesky cat?


I was at a conference with people from some Very Large ISPs.  They
told me that many of their large customers absolutely will not let
them do BCP38 filtering.  ("If you don't want our business, we can
find someone else who does.")  The usual problem is that they have PA
space from two providers and for various reasons, not all of which are
stupid, traffic with provider A's addresses sometimes goes out through
provider B.  Adding to the excitement, some of these customers are
medium sized ISPs with multihomed customers of their own.

I don't know BGP well enough to know if it's possible to send out
announcements for this situtation, this address range is us, but don't
route traffic to it.  Even if it is, not all of the customers do BGP,
some are just stub networks.

If we could figure out a reasonable way (i.e., one that the customers
might be willing to implement) to handle this, it'll make BCP38 a lot
more doable.

R's,
John



More information about the NANOG mailing list