[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BCP38 - Internet Death Penalty

On Wed, Mar 27, 2013 at 11:02 AM, Jack Bates <jbates at brightok.net> wrote:
> It's also not a bad idea for an ISP to deploy EGRESS filters if they do not
> offer BGP Transit services.

Nor is it a bad idea for their upstream to inquire as to whether the
downstream offers BGP transit services and apply INGRESS filters if
they do not.

> This way they are not depending on their transit
> providers to handle spoof protection and they cover their entire network
> regardless of last mile ingress filtering. This doesn't generally work well
> when doing transit services of any size due to the number of egress filter
> updates you'd have to issue, but it is great for the small/medium ISP.

Build a web page where a downstream can set the filters on his
interface at his convenience. Apply some basic sanity checks against
wide-open. Worry about small lies from a forensic after-the-fact
perspective. This problem has a trivial technology-only solution.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004