[161935] in North American Network Operators' Group
Re: Tier 2 ingress filtering
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Thu Mar 28 15:42:42 2013
In-Reply-To: <12944408.2.1364498824887.JavaMail.root@benjamin.baylink.com>
Date: Thu, 28 Mar 2013 12:42:30 -0700
From: Paul Ferguson <fergdawgster@gmail.com>
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Mar 28, 2013 at 12:27 PM, Jay Ashworth <jra@baylink.com> wrote:
> ----- Original Message -----
>> From: "William Herrin" <bill@herrin.us>
>
>> So, you represent to your ISP that you're authorized to use a certain
>> range of addresses. He represents to his upstream that he's authorized
>> to use them on your behalf, and so on.
>
> The former is a first-hand transaction: if you're lying to your edge
> carrier, he can cut you off with no collateral damage.
>
Of course, he has to notice it first. :-)
ObOpinion: It's best to *enforce* a policy which disallows a
downstream network from sourcing spoofed packets -- and the closer to
the "edge" you are, the better, Hierarchy is great for that. :-)
I guess the next best thing is "Trust but verify"?
- ferg
--
"Fergie", a.k.a. Paul Ferguson
fergdawgster(at)gmail.com
