[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

----- Original Message -----
> From: "William Herrin" <bill at herrin.us>

> So, you represent to your ISP that you're authorized to use a certain
> range of addresses. He represents to his upstream that he's authorized
> to use them on your behalf, and so on.

The former is a first-hand transaction: if you're lying to your edge 
carrier, he can cut you off with no collateral damage.

The latter, though, is arms-length, *and* has no reasonable way to be 
implemented that I can see without extending whatever OAM&P system
that carrier has atop their gear.

> The reliability of these representations obviously falls at they grow
> distant from the source. So what? That's a problem for RPKI. The
> problem we need concern ourselves with is dropping packets whose
> source addresses are inconsistent with our customer's _representation_
> of the addresses he's authorized to originate, however reliable or
> unreliable that representation may turn out to be.

That's great, but that's a couple orders of magnitude of added complexity
that, quite frankly Bill, I can't sell just now.  :-)

Worse (to bring this ontopic for NANOG): that complexity needs to live
*inside routers*, unless I'm very much mistaken.

-- jra
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274