[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
> ----- Original Message -----
> > From: "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu>
> > For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable
> > connections, it's still the edge and still trivially filterable. If that's a
> > problem, the ISP can upsell a business-class connection that doesn't
> > filter. ;)
> C'mon guys: the edge is where people who *source and sink* packets
> connect to people who *move* packets.  There may be some edges *inside*
> carriers, but there is certainly an edge where carriers hook up customers.

Exactly - packets leaving Comcast's network and going to another tier 1/2,
the receiver may have a hard time figuring out if the packet is legit or not.
But it's trivial for Comcast to tell whether the packet that just came out
my cablemodem is consistent with what their DHCP server told my CPE.
(For the record, the last time I tried running the spoofer.sail stuff
on my home gear, it was totally unable to sneak a packet out, so at least
part of Comcast does this right).

And the fact that there's places where it *is* hard to deploy isn't an excuse
for not doing it in the 98% of places where it's a slam dunk.

> And no, this should apply to business-grade connections as much as resi.

Oh, I was intending *those* would be filtered by default as well, but you
could request an opt-out if you were trying to do multi-homing on the cheap
as some people have suggested (similar to blocking outbound 25 by default,
unless the user actually has a mail server).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130328/7c722949/attachment.bin>