[161829] in North American Network Operators' Group
Re: BCP38 - Internet Death Penalty
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Mar 27 11:41:22 2013
In-Reply-To: <515309EC.4070402@brightok.net>
From: William Herrin <bill@herrin.us>
Date: Wed, 27 Mar 2013 11:40:36 -0400
To: Jack Bates <jbates@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Mar 27, 2013 at 11:02 AM, Jack Bates <jbates@brightok.net> wrote:
> It's also not a bad idea for an ISP to deploy EGRESS filters if they do not
> offer BGP Transit services.
Nor is it a bad idea for their upstream to inquire as to whether the
downstream offers BGP transit services and apply INGRESS filters if
they do not.
> This way they are not depending on their transit
> providers to handle spoof protection and they cover their entire network
> regardless of last mile ingress filtering. This doesn't generally work well
> when doing transit services of any size due to the number of egress filter
> updates you'd have to issue, but it is great for the small/medium ISP.
Build a web page where a downstream can set the filters on his
interface at his convenience. Apply some basic sanity checks against
wide-open. Worry about small lies from a forensic after-the-fact
perspective. This problem has a trivial technology-only solution.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
