On Thu, Jan 9, 2014 at 11:52 AM, Scott Brim
<scott(_dot_)brim(_at_)gmail(_dot_)com> wrote:
On Thu, Jan 9, 2014 at 10:43 AM, Patrik Fältström <paf(_at_)frobbit(_dot_)se>
wrote:
Not being an IP-routing person, but chair of SSAC in ICANN, I hear people
for the reasons you bring up are more in favor of a mechanism where one talk
about explicitly "filtering at the edge of the Internet" and not at every
point where routes are exchanged.
Where is "the edge"? Is there a boundary outside of your control that
ideally a customer filters at every LAN port ... that way it's pretty
simple to tell what you should be filtering :)
after that it'd be nice if their egress port to 'internet' included:
"permit ip MYSRC any"
so that in case of internal issues with config consistency/etc they
still don't leak out bad sources.
At the 'ISP' level, this sort of thing is practical really only at the
customer link, it's not super practical to filter on links between
ISPs (maybe it is for TierX but not Tier X-M)...
you truly trust? Even if there's supposedly unbreakable filtering at
most of the edge, wouldn't you want to do your own filtering as well?
sure, can you define the filter between (for pathological cases)
Level3 and ATT ? or NTT and Cogent?
it gets much harder to do this in a not-super-brittle way pretty
quickly at that level of the network hierarchy :(
It looks like the sites John talked to are multihomed, NOT doing
routing at their edge (??), and yet wanting to filter? I don't think
that's not clear, from john's description at least.
you get all three of those.
For some of the cases John is talking about it's probably 'hard' to do
the filter, but for many folk as long as you are already filtering the
routes the 'customer' sends (and you ARE doing that, right? you dont'
want to be PCCW do you? :) ) it's pretty darned simple to just filter
inbound properly there. (or for the customer to properly egress filter
to you, since they know the routes because they told you the routes)
-chris