Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?

[Paul Ferguson <fergdawgster () mykolab com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/4/2014 2:18 PM, John Levine wrote:

> > > > If just three of the transit-free networks rewrote their
> > > > peering contracts such that there was a $10k per day penalty
> > > > for sending packets with source addresses the peer should
> > > > reasonably have known were forged, this problem would go away
> > > > in a matter of weeks.
> > >
> > > Won't work because no one will sign that contract.
>
> Oh, right, how hard can it be to put a bell on that pesky cat?
>
>
> I was at a conference with people from some Very Large ISPs.  They 
> told me that many of their large customers absolutely will not let 
> them do BCP38 filtering.  ("If you don't want our business, we can 
> find someone else who does.")  The usual problem is that they have
> PA space from two providers and for various reasons, not all of
> which are stupid, traffic with provider A's addresses sometimes
> goes out through provider B.  Adding to the excitement, some of
> these customers are medium sized ISPs with multihomed customers of
> their own.
>
> I don't know BGP well enough to know if it's possible to send out 
> announcements for this situtation, this address range is us, but
> don't route traffic to it.  Even if it is, not all of the customers
> do BGP, some are just stub networks.
>
> If we could figure out a reasonable way (i.e., one that the
> customers might be willing to implement) to handle this, it'll make
> BCP38 a lot more doable.

BCP84? :-)

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLxaWoACgkQKJasdVTchbIy9AD/eILZC1RBKpcnSGfYvmWhkmiF
L1egq0XmR2EqlG9ta5ABALrHWUwaV0COd5I6Mz6vZL2Zoa2AkO1w7DC6hvcGAIkM
=R7VB
-----END PGP SIGNATURE-----