Re: Policies: Routing a subset of another ISP's address block

[Jesper Skriver <jesper () skriver dk>]

On Wed, Apr 05, 2000 at 07:10:30PM -0400, Phillip Vandry wrote:
> > I can say for sure, that we doesn't accept more specific announcements within 
> > our PA blocks, nor does we accept traffic with a source within these
> > blocks.
>
> So you might not allow a customer to break up your block, but you haven't
> said that you wouldn't allow a customer to announce a fragmented block
> belonging to someone else, supposing this other party does not share
> your policy.

But they will be unable to reach anything within our network (which is >
50% of the danish Internet).

> > > I don't see the logic behind refusing the customer a request of this sort.
> >
> > Exploding routing tables, and it makes it impossible to do anti-spoofing
> > filters ...
>
> You're going to have to exempt multihomed downstream customers from your
> anti spoofing filters anyway, whether they use your space, someone else's
> or their own. To put it another way, if you have clueful downstreams,
> you should delegate anti spoofing to them, they will do it closer to
> the edge where there is no asymetrical routing.

Yes, but this cannot ensure that someone on the other side of the
planet, tried to connect to something within our network, with a souce
in our blocks - which we cannot accept, as some of our customers (with
multiple connections to our network) use the source address for
authentication purposes.

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek            @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.