Re: Request for comment -- BCP38

[Mike Hammett <nanog () ics-il net>]

Are you talking BGP level customers or individual small businesses' broadband service? 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "John Levine" <johnl () iecc com> 
To: nanog () nanog org 
Sent: Monday, September 26, 2016 11:04:33 AM 
Subject: Re: Request for comment -- BCP38 

> If you have links from both ISP A and ISP B and decide to send traffic out 
> ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* 
> drop that traffic on the floor. There is no automated or scalable way for 
> ISP A to distinguish this "legitimate" use from spoofing; unless you 
> consider it scalable for ISP A to maintain thousands if not more 
> "exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases 
> of customers X, Y, and Z sourcing traffic into ISP A's network using IPs 
> allocated to them by other ISPs? 

I gather the usual customer response to this is "if you don't want our 
$50K/mo, I'm sure we can find another ISP who does." 

> From the conversations I've had with ISPs, the inability to manage 
legitimate traffic from dual homed customer networks is the most 
significant bar to widespread BCP38. I realize there's no way to do 
it automatically now, but it doesn't seem like total rocket science to 
come up with some way for providers to pass down a signed object to 
the customer routers that the routers can then pass back up to the 
customer's other providers. 

R's, 
John 

PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.