BCP38 is hard, was TWC (AS11351) blocking all NTP?
bill at herrin.us
Tue Feb 4 22:49:18 UTC 2014
On Tue, Feb 4, 2014 at 5:18 PM, John Levine <johnl at iecc.com> wrote:
> I was at a conference with people from some Very Large ISPs. They
> told me that many of their large customers absolutely will not let
> them do BCP38 filtering. ("If you don't want our business, we can
> find someone else who does.") The usual problem is that they have PA
> space from two providers and for various reasons, not all of which are
> stupid, traffic with provider A's addresses sometimes goes out through
> provider B.
(A) It isn't spoofed traffic. The relevant block of ISP A's addresses
should be permitted in ISP B's filter. It shouldn't even need much in
the way of verification: confirm that the requested block is either
relatively small and not obviously registered to someone else in
rwhois, or confirm that it is registered to the customer in rwhois.
(B) When it comes time to apply a penalty up at the peering sessions,
those packets aren't eligible. The penalty can be refuted and, if
based on those particular source addresses, dropped.
> I don't know BGP well enough to know if it's possible to send out
> announcements for this situtation, this address range is us, but don't
> route traffic to it.
No. A BGP option could be added to support this, but in many cases the
blocks in question are smaller than /24. The advertisements would end
up filtered anyway. There really isn't a good technical solution to
automated filtering at the reciprocal peering level. That part only
works at the customer edge.
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG