On Dec 31, 2015, at 2:21 PM, Steve Crocker <steve(_at_)shinkuro(_dot_)com>
wrote:
I’ve always assumed the proper place to implement BCP 38 is at the edge of
the network. I’ve also assumed that part of the knowledge one network ought
to have about another is whether the other network implements BCP 38 at its
edge and requires its peers to do so at their edges and require their peers,
etc. Thus, there ought to be an ever growing collection of networks that
have agreed that packets entering their networks have had their source
addresses checked at their source. Checking the source addresses as packets
traverse from one tier one network to another or from a tier two network to a
tier one network should not be necessary, and I can well understand why this
would be a performance issue.
Sure. The edge of my network may have a /19 behind it though, or it could be a
/126. I also don’t know if a customer later turns up as another providers
backup-path and forgets to or doesn’t inform me. Customers are often reluctant
to describe who are in that downstream cone in advance, either because of poor
planning, fear or something else.
I may want to drop packets that I can’t return (eg: 1918 type sources). This
is where I’ve tried to focus, to forward fewer ‘bad’ packets.
Instead we have ended up with a policy to have certain port or protocol numbers
enter a ‘junk’ queue that gets policed. I may not need Chargen or NTP to be
more than 1% of my network.
- Jared