[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

In the current BCP38/DDoS discussions, I've seen a lot of people suggesting 
that it's practical to do ingress filtering at places other than the edge.

My understanding has always been different from that, based on the idea
that the carrier to which a customer connects is the only one with which
that end-site has a business relationship, and therefore (frex), the only
one whom that end-site could advise that they believe they have a valid
reason to originate traffic from address space not otherwise known to
the carrier; jack-leg dual-homing, for example, as was discussed in still
a third thread this week.

The edge carrier's *upstream* is not going to know that it's reasonable
for their customer -- the end-site's carrier -- to be originating traffic
with those source addresses, and if they ingress filter based on the 
prefixes they route down to that carrier, they'll drop that traffic...

which is not fraudulent, and has a valid engineering reason to exist and
appear on their incoming interface.

Fixing that will require the construction of an entirely new tracking system
at the Tier 2, which is not really the case for the Tier 3 edge carrier,
as I see it - you generally just turn unicast-rpf on for everyone's port,
unless you have a signed waiver in your file cabinet, in which case
you turn it off.

Am I missing something?

Or is the overarching problem large enough that people are willing to
throw the baby out with the bathwater?

-- jra
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274