[no subject]

Any other bad/broken/incorrect examples to show us?

> Past that if the customer has customers who have blocks assigned from other
> providers, this becomes a huge and almost impossible to manage real-time
> list.

If the customer is another ISP who has blocks assigned from one of their
other upstream providers and they're sending the wrong packets down the
wrong pipes then they've got their routing all messed up and they need
to fix it anyway.  The sooner you block their packets and make them see
the error in their ways the sooner their performance and reliability
will return to the levels it should be at and the happier they'll be.

>  Big filter lists hit router cpu's, and cost human time.

Big filter lists?  How many connections do you have on any given edge
router?  How many network blocks are assigned to those customers?  I'll
bet when you do the math it's not that big of a list (relatively
speaking).  How many packets per second do your edge routers handle
anyway?

As for CPU time, well demand better from your hardware vendors.  Given
what's available now (and been available for some time now), there's no
excuse for a router doing such basic filtering in it's main CPU any
more.  Like I said too you might even be able to justify separate
wire-speed filter boxes to sit just in front of edge routers too (I
don't know -- I've no idea how the costs work out vs. the costs of
managing spoof-based DoS attacks).

>  And remember
> this isn't like filtering BGP customers where if the route doesn't get 
> through it's not always a big deal, you are _dropping_ packets that may
> be valid.

No packet with an invalid source address is valid.  Period.  That's the
definition!

> I'm guessing you talk to a lot of router vendors and listen to their
> half-truths about their filtering abilities.  It's one thing to filter
> one customer, it's another to filter hundreds of customers utilizing
> hundreds or thousands of blocks on a single device,

Given the numbers you spout I think you're talking core here.  I'm
talking edge.  Any edge provider that's got a customer with hundreds or
thousands of netblocks has that customer connected at the wrong place.

> just the looking 
> at the configuration becomes a nightmare.

What, don't you have a provisioning system that would automate this kind
of thing?  If not and if it's a nightmare then you're well beyond being
in dire need of having a real provisioning system!

>  Also there's a big difference
> between an edge device pushing a few megs and one pushing many gigs
> when it comes to any type of packet filtering. 

Ah ha!  You are talking core.  I never suggested trying to do any
filtering in the core.  The filtering must be done at the edge!  Why do
"you people" keep jumping to the wrong assumptions?!?!?!?!?

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>