BCP38 is hard, was TWC (AS11351) blocking all NTP?
Octavio Alvarez
alvarezp at alvarezp.ods.org
Tue Feb 4 23:00:18 UTC 2014
On 04/02/14 14:18, John Levine wrote:
> I was at a conference with people from some Very Large ISPs. They
> told me that many of their large customers absolutely will not let
> them do BCP38 filtering. ("If you don't want our business, we can
> find someone else who does.") The usual problem is that they have PA
> space from two providers and for various reasons, not all of which
> are stupid, traffic with provider A's addresses sometimes goes out
> through provider B. Adding to the excitement, some of these
> customers are medium sized ISPs with multihomed customers of their
> own.
I haven't read it all, but section 3 says:
> However, by restricting transit traffic which originates from a
> downstream network to known, and intentionally advertised,
> prefix(es), the problem of source address spoofing can be virtually
> eliminated in this attack scenario.
If ISP has customer A with multiple *known* valid networks --doesn't
matter if ISP allocated them to customer or not-- and ISP lets them all
out, but filters everything else, ISP is still complying with BCP 38.
Here it's not a matter of blocking "just because". It's blocking unknown
addresses. It doesn't either mean that ISP should not open the filters
if a new prefix is requested by the customer.
More information about the NANOG
mailing list