nanog mailing list archives
Re: BCP38 - Internet Death Penalty
From: William Herrin <bill () herrin us>
Date: Wed, 27 Mar 2013 11:40:36 -0400
On Wed, Mar 27, 2013 at 11:02 AM, Jack Bates <jbates () brightok net> wrote:
It's also not a bad idea for an ISP to deploy EGRESS filters if they do not offer BGP Transit services.
Nor is it a bad idea for their upstream to inquire as to whether the downstream offers BGP transit services and apply INGRESS filters if they do not.
This way they are not depending on their transit providers to handle spoof protection and they cover their entire network regardless of last mile ingress filtering. This doesn't generally work well when doing transit services of any size due to the number of egress filter updates you'd have to issue, but it is great for the small/medium ISP.
Build a web page where a downstream can set the filters on his interface at his convenience. Apply some basic sanity checks against wide-open. Worry about small lies from a forensic after-the-fact perspective. This problem has a trivial technology-only solution. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: BCP38 - Internet Death Penalty, (continued)
- Re: BCP38 - Internet Death Penalty Valdis . Kletnieks (Mar 26)
- Re: BCP38 - Internet Death Penalty Mark Andrews (Mar 26)
- Re: BCP38 - Internet Death Penalty William Herrin (Mar 27)
- Re: BCP38 - Internet Death Penalty Jay Ashworth (Mar 27)
- Re: BCP38 - Internet Death Penalty Jack Bates (Mar 27)
- Re: BCP38 - Internet Death Penalty Mark Andrews (Mar 27)
- Re: BCP38 - Internet Death Penalty Jack Bates (Mar 27)
- Re: BCP38 - Internet Death Penalty Valdis . Kletnieks (Mar 27)
- Re: BCP38 - Internet Death Penalty Jay Ashworth (Mar 27)