BCP38 is hard, was TWC (AS11351) blocking all NTP?

Tue Feb 4 22:27:55 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/4/2014 2:18 PM, John Levine wrote:

>>>> If just three of the transit-free networks rewrote their
>>>> peering contracts such that there was a $10k per day penalty
>>>> for sending packets with source addresses the peer should
>>>> reasonably have known were forged, this problem would go away
>>>> in a matter of weeks.
>>> 
>>> Won't work because no one will sign that contract.
> 
> Oh, right, how hard can it be to put a bell on that pesky cat?
> 
> 
> I was at a conference with people from some Very Large ISPs.  They 
> told me that many of their large customers absolutely will not let 
> them do BCP38 filtering.  ("If you don't want our business, we can 
> find someone else who does.")  The usual problem is that they have
> PA space from two providers and for various reasons, not all of
> which are stupid, traffic with provider A's addresses sometimes
> goes out through provider B.  Adding to the excitement, some of
> these customers are medium sized ISPs with multihomed customers of
> their own.
> 
> I don't know BGP well enough to know if it's possible to send out 
> announcements for this situtation, this address range is us, but
> don't route traffic to it.  Even if it is, not all of the customers
> do BGP, some are just stub networks.
> 
> If we could figure out a reasonable way (i.e., one that the
> customers might be willing to implement) to handle this, it'll make
> BCP38 a lot more doable.
> 

BCP84? :-)

- - ferg

- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLxaWoACgkQKJasdVTchbIy9AD/eILZC1RBKpcnSGfYvmWhkmiF
L1egq0XmR2EqlG9ta5ABALrHWUwaV0COd5I6Mz6vZL2Zoa2AkO1w7DC6hvcGAIkM
=R7VB
-----END PGP SIGNATURE-----