Re: Tier 2 ingress filtering

[Paul Ferguson <fergdawgster () gmail com>]

On Thu, Mar 28, 2013 at 12:27 PM, Jay Ashworth <jra () baylink com> wrote:

> ----- Original Message -----
> > From: "William Herrin" <bill () herrin us>
>
> > So, you represent to your ISP that you're authorized to use a certain
> > range of addresses. He represents to his upstream that he's authorized
> > to use them on your behalf, and so on.
>
> The former is a first-hand transaction: if you're lying to your edge
> carrier, he can cut you off with no collateral damage.

Of course, he has to notice it first. :-)

ObOpinion: It's best to *enforce* a policy which disallows a
downstream network from sourcing spoofed packets -- and the closer to
the "edge" you are, the better, Hierarchy is great for that. :-)

I guess the next best thing is "Trust but verify"?

- ferg


-- 
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com