BCP38 is hard, was TWC (AS11351) blocking all NTP?

Octavio Alvarez alvarezp at alvarezp.ods.org
Tue Feb 4 23:00:18 UTC 2014


On 04/02/14 14:18, John Levine wrote:
> I was at a conference with people from some Very Large ISPs.  They
> told me that many of their large customers absolutely will not let
> them do BCP38 filtering.  ("If you don't want our business, we can
> find someone else who does.")  The usual problem is that they have PA
> space from two providers and for various reasons, not all of which
> are stupid, traffic with provider A's addresses sometimes goes out
> through provider B.  Adding to the excitement, some of these
> customers are medium sized ISPs with multihomed customers of their
> own.

I haven't read it all, but section 3 says:

> However, by restricting transit traffic which originates from a
> downstream network to known, and intentionally advertised,
> prefix(es), the problem of source address spoofing can be virtually
> eliminated in this attack scenario.

If ISP has customer A with multiple *known* valid networks --doesn't 
matter if ISP allocated them to customer or not-- and ISP lets them all 
out, but filters everything else, ISP is still complying with BCP 38.

Here it's not a matter of blocking "just because". It's blocking unknown 
addresses. It doesn't either mean that ISP should not open the filters 
if a new prefix is requested by the customer.




More information about the NANOG mailing list