[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

On Thu, Mar 28, 2013 at 1:07 PM, Jay Ashworth <jra at baylink.com> wrote:
> My understanding has always been different from that, based on the idea
> that the carrier to which a customer connects is the only one with which
> that end-site has a business relationship, and therefore (frex), the only
> one whom that end-site could advise that they believe they have a valid
> reason to originate traffic from address space not otherwise known to
> the carrier; jack-leg dual-homing, for example, as was discussed in still
> a third thread this week.

Hi Jay,

There's a two part heirarchy of contracts involved in every legitimate
end-to-end communication which occurs over the Internet, right? You
buy service from someone who buys service on your behalf from someone
who buys service on his behalf from someone. The other endpoint does
the same, starting with his ISP. The contract hierarchies meet at the
top, either with a single backbone ISP or with a pair of backbone ISPs
who do settlement-free peering with each other.

So, you represent to your ISP that you're authorized to use a certain
range of addresses. He represents to his upstream that he's authorized
to use them on your behalf, and so on.

The reliability of these representations obviously falls at they grow
distant from the source. So what? That's a problem for RPKI. The
problem we need concern ourselves with is dropping packets whose
source addresses are inconsistent with our customer's _representation_
of the addresses he's authorized to originate, however reliable or
unreliable that representation may turn out to be.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004