Request for comment -- BCP38

• Previous message (by thread): Request for comment -- BCP38
• Next message (by thread): Request for comment -- BCP38
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon 2016-Sep-26 09:21:55 -0700, Hugo Slabbert <hugo at slabnet.com> wrote:

>
>On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett <nanog at ics-il.net> wrote:
>
>>>
>>>----- Original Message -----
>>>
>>>From: "John Levine" <johnl at iecc.com>
>>>To: nanog at nanog.org
>>>Sent: Monday, September 26, 2016 11:04:33 AM
>>>Subject: Re: Request for comment -- BCP38
>>>
>>>>If you have links from both ISP A and ISP B and decide to send traffic out
>>>>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should*
>>>>drop that traffic on the floor. There is no automated or scalable way for
>>>>ISP A to distinguish this "legitimate" use from spoofing; unless you
>>>>consider it scalable for ISP A to maintain thousands if not more
>>>>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases
>>>>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs
>>>>allocated to them by other ISPs?
>>>
>>>I gather the usual customer response to this is "if you don't want our
>>>$50K/mo, I'm sure we can find another ISP who does."
>>>
>>>From the conversations I've had with ISPs, the inability to manage
>>>legitimate traffic from dual homed customer networks is the most
>>>significant bar to widespread BCP38. I realize there's no way to do
>>>it automatically now, but it doesn't seem like total rocket science to
>>>come up with some way for providers to pass down a signed object to
>>>the customer routers that the routers can then pass back up to the
>>>customer's other providers.
>>>
>>>R's,
>>>John
>>>
>>>PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.
>>>
>
>>Are you talking BGP level customers or individual small businesses' 
>>broadband service?
>
>I myself am talking about the latter... 

...dammit...obviously "former" here, not "latter".  Caffeine injection 
requisitioned.

>...and included the option of PI space to cover that (although I guess at 
>some point this can be made fly with PA space from another provider if 
>both providers are willing enough to play ball), though from the $50/mo 
>figure John listed, I'm assuming he's talking about the latter.
>
>Do people really expect to be able to do this on residential or small 
>business broadband networks?  I can't remember any time in recent 
>memory where I assumed I could set a source address to any IP I fancy 
>and have that packet successfully make its way through the SP's 
>network.
>
>>
>>-----
>>Mike Hammett
>>Intelligent Computing Solutions
>>http://www.ics-il.com
>>
>>Midwest-IX
>>http://www.midwest-ix.com

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160926/f772a8bd/attachment.sig>

• Previous message (by thread): Request for comment -- BCP38
• Next message (by thread): Request for comment -- BCP38
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]