BCP38 is hard, was TWC (AS11351) blocking all NTP?

Mark Andrews marka at isc.org
Wed Feb 5 00:48:06 UTC 2014


In message <20140205002905.57856.qmail at joyce.lan>, "John Levine" writes:
> >Why does it have to be hard? Restricting the filter to addresses which
> >(A) the customer asserts are theirs 
> 
> How does the customer do that in a way that scales?

You implement SIDR to the extent where you issue your multi homed
customers CERTs for the address space you allocated to them.  The
customer can then just send signed requests to a automated service
at the other ISPs along with the CERT which then builds the filters
based on that information after verifying the CERTs authenticity.

Now all of the above is completely automatable including the CERT
generation.  Yes, it requires someone to write a implementation and
integrate it with the existing systems.

> I don't think any of this is rocket science, but it apparently is a
> real block to BCP38/84 implementatin.

No, this isn't rocket science.  It just requires a little co-ordination.

> R's,
> John
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list