Re: Tier 2 ingress filtering

[Jay Ashworth <jra () baylink com>]

Yeah, that's what I meant: ingress filter all edge connections except maybe BGP, and accept optout requests.

Valdis.Kletnieks () vt edu wrote:

> On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
> > ----- Original Message -----
> > > From: "Valdis Kletnieks" <Valdis.Kletnieks () vt edu>
> > > For 5 9's worth of eyeball networks hanging off consumer-grade ADSL
> and cable
> > > connections, it's still the edge and still trivially filterable. If
> that's a
> > > problem, the ISP can upsell a business-class connection that
> doesn't
> > > filter. ;)
> >
> > C'mon guys: the edge is where people who *source and sink* packets
> > connect to people who *move* packets.  There may be some edges
> *inside*
> > carriers, but there is certainly an edge where carriers hook up
> customers.
>
> Exactly - packets leaving Comcast's network and going to another tier
> 1/2,
> the receiver may have a hard time figuring out if the packet is legit
> or not.
> But it's trivial for Comcast to tell whether the packet that just came
> out
> my cablemodem is consistent with what their DHCP server told my CPE.
> (For the record, the last time I tried running the spoofer.sail stuff
> on my home gear, it was totally unable to sneak a packet out, so at
> least
> part of Comcast does this right).
>
> And the fact that there's places where it *is* hard to deploy isn't an
> excuse
> for not doing it in the 98% of places where it's a slam dunk.
>
> > And no, this should apply to business-grade connections as much as
> resi.
>
> Oh, I was intending *those* would be filtered by default as well, but
> you
> could request an opt-out if you were trying to do multi-homing on the
> cheap
> as some people have suggested (similar to blocking outbound 25 by
> default,
> unless the user actually has a mail server).

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.