Re: NSPs and filters

[Daniel Senie <dts () proteon com>]

Phil Howard wrote:
> Jon Lewis writes...
>
> > Why is it that the NSPs I've encountered refuse to do any sort of sanity
> > filtering on their customer connections?  i.e. If UUNet knows that FDT has
> > only 205.229.48/20 and 208.215.0/20, why should they let me send traffic
> > through their network with random source addresses?
>
> I'm assuming that they don't want to overload their router with all that
> extra filtering, especially on the interface inbounds.

There's more to consider. The choice of routing gear and router software
can
allow filtering without adversely affecting performance.

> OTOH, I've always believed that all routers should be required to apply
> routing decisions first to the source address and determine if the interface
> it arrived on is at least a valid return path (not necessarily best) and if
> not, drop the packet.  Then do the destination work.

We considered this in the first published draft of:

        draft-ferguson-ingress-filtering-02.txt

but ultimately removed this from the text. The return path is often not
the same
as the forward path, thanks to the BGP policies through the core
routers. In
many cases, alternate paths will not be known.

> Again, too much work for the routers to do.

No. It IS work, but a router and/or router software designed to handle
this
capability is NOT a hard thing. If that's an important feature, then the
hardware and software CAN be designed that perform these functions
efficiently.


-- 
-------------------------------------------------------
Daniel Senie                  dts () openroute com
OpenROUTE Networks, Inc.      http://www.openroute.com/
508-898-2800