[161937] in North American Network Operators' Group
Re: Tier 2 ingress filtering
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Thu Mar 28 15:52:02 2013
Date: Thu, 28 Mar 2013 15:51:49 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <CANQy6FabkDf2g_J+NtgcAxo5zY1KuNBp=fTix61wbShqSqjYpQ@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Paul Ferguson" <fergdawgster@gmail.com>
> > The former is a first-hand transaction: if you're lying to your edge
> > carrier, he can cut you off with no collateral damage.
>
> Of course, he has to notice it first. :-)
Sure.
> ObOpinion: It's best to *enforce* a policy which disallows a
> downstream network from sourcing spoofed packets -- and the closer to
> the "edge" you are, the better, Hierarchy is great for that. :-)
Sure; that's sort of my point: this is *much* more effectively done at
the actual edge; I think the systemic complexity of pushing it further
in goes up as a log function -- meaning that the fact that there are
only maybe 6000 transit networks is a red herring.
> I guess the next best thing is "Trust but verify"?
Always.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
