[161934] in North American Network Operators' Group
Re: Tier 2 ingress filtering
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Thu Mar 28 15:32:41 2013
Date: Thu, 28 Mar 2013 15:27:04 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <CAP-guGVH4jmJ+=sALfCTwK3ttw=ULkEvcO2N0pMrefbaE2TP4g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "William Herrin" <bill@herrin.us>
> So, you represent to your ISP that you're authorized to use a certain
> range of addresses. He represents to his upstream that he's authorized
> to use them on your behalf, and so on.
The former is a first-hand transaction: if you're lying to your edge
carrier, he can cut you off with no collateral damage.
The latter, though, is arms-length, *and* has no reasonable way to be
implemented that I can see without extending whatever OAM&P system
that carrier has atop their gear.
> The reliability of these representations obviously falls at they grow
> distant from the source. So what? That's a problem for RPKI. The
> problem we need concern ourselves with is dropping packets whose
> source addresses are inconsistent with our customer's _representation_
> of the addresses he's authorized to originate, however reliable or
> unreliable that representation may turn out to be.
That's great, but that's a couple orders of magnitude of added complexity
that, quite frankly Bill, I can't sell just now. :-)
Worse (to bring this ontopic for NANOG): that complexity needs to live
*inside routers*, unless I'm very much mistaken.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
