nanog mailing list archives
Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?
From: William Herrin <bill () herrin us>
Date: Tue, 4 Feb 2014 17:49:18 -0500
On Tue, Feb 4, 2014 at 5:18 PM, John Levine <johnl () iecc com> wrote:
I was at a conference with people from some Very Large ISPs. They told me that many of their large customers absolutely will not let them do BCP38 filtering. ("If you don't want our business, we can find someone else who does.") The usual problem is that they have PA space from two providers and for various reasons, not all of which are stupid, traffic with provider A's addresses sometimes goes out through provider B.
Then: (A) It isn't spoofed traffic. The relevant block of ISP A's addresses should be permitted in ISP B's filter. It shouldn't even need much in the way of verification: confirm that the requested block is either relatively small and not obviously registered to someone else in rwhois, or confirm that it is registered to the customer in rwhois. (B) When it comes time to apply a penalty up at the peering sessions, those packets aren't eligible. The penalty can be refuted and, if based on those particular source addresses, dropped.
I don't know BGP well enough to know if it's possible to send out announcements for this situtation, this address range is us, but don't route traffic to it.
No. A BGP option could be added to support this, but in many cases the blocks in question are smaller than /24. The advertisements would end up filtered anyway. There really isn't a good technical solution to automated filtering at the reciprocal peering level. That part only works at the customer edge. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: TWC (AS11351) blocking all NTP?, (continued)
- Re: TWC (AS11351) blocking all NTP? Jay Ashworth (Feb 04)
- Re: TWC (AS11351) blocking all NTP? Michael Smith (Feb 06)
- Re: TWC (AS11351) blocking all NTP? Doug Barton (Feb 04)
- Re: TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: TWC (AS11351) blocking all NTP? Christopher Morrow (Feb 04)
- Re: TWC (AS11351) blocking all NTP? Majdi S. Abbas (Feb 04)
- Re: TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? John Levine (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Paul Ferguson (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Chuck Anderson (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Octavio Alvarez (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? John R. Levine (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? William Herrin (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? John Levine (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Mark Andrews (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Randy Bush (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Jay Ashworth (Feb 04)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Saku Ytti (Feb 05)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Jared Mauch (Feb 05)
- Re: BCP38 is hard, was TWC (AS11351) blocking all NTP? Saku Ytti (Feb 05)