[161941] in North American Network Operators' Group
Re: Tier 2 ingress filtering
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Mar 28 17:10:46 2013
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: Your message of "Thu, 28 Mar 2013 15:05:57 -0400."
<20947669.0.1364497409592.JavaMail.root@benjamin.baylink.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 28 Mar 2013 17:08:54 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1364504934_1949P
Content-Type: text/plain; charset=us-ascii
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
> ----- Original Message -----
> > From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
> > For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable
> > connections, it's still the edge and still trivially filterable. If that's a
> > problem, the ISP can upsell a business-class connection that doesn't
> > filter. ;)
>
> C'mon guys: the edge is where people who *source and sink* packets
> connect to people who *move* packets. There may be some edges *inside*
> carriers, but there is certainly an edge where carriers hook up customers.
Exactly - packets leaving Comcast's network and going to another tier 1/2,
the receiver may have a hard time figuring out if the packet is legit or not.
But it's trivial for Comcast to tell whether the packet that just came out
my cablemodem is consistent with what their DHCP server told my CPE.
(For the record, the last time I tried running the spoofer.sail stuff
on my home gear, it was totally unable to sneak a packet out, so at least
part of Comcast does this right).
And the fact that there's places where it *is* hard to deploy isn't an excuse
for not doing it in the 98% of places where it's a slam dunk.
> And no, this should apply to business-grade connections as much as resi.
Oh, I was intending *those* would be filtered by default as well, but you
could request an opt-out if you were trying to do multi-homing on the cheap
as some people have suggested (similar to blocking outbound 25 by default,
unless the user actually has a mail server).
--==_Exmh_1364504934_1949P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBUVSxZgdmEQWDXROgAQKi0hAAoY/SLy18/WbNQ+IACJi+N3jQzPw+Myql
jtQeId7/OBTLvlNFBDTbbkiT0jYrxVp7TKYVN5vArpMRrTXuZbSzaZY5kpXAS+cg
pWICusZGdSSjr5bja09L8qU5ac4SbkencKaG7gXUP2UpWygDDBx8DMSpJ2Qwoioz
rAD/UU3US64msEnKZ9wc1ckq/TcliiMWK69FvpvoHl+p0sOJBPlVZKA/frXZyh9v
Ymy6VmicS6yEhwZ6uWJ1kFDuIZrIggX2R+d6bd0kYv17mkLiBmyGuyt0oR1H0iaW
eFtFC2NCY4gApdHqFGx5LX56NdUiVi4ntPSVToSs4tpS9f/JoOpPii6/1wei0My0
Ro3oR0/DemdZ2oJ2yN+RsnXG8IRgbyeGALIc/FalH7fPWQQwhTCYLROVNOIPEv7U
Yu1+rijvap0ZtNvyAcvc1voGFDaxx6HFU37iOuRaPpHZ4uuauZC4ZQ+g8wVX+6fa
HD6hVIG0BHvJpYa8a0hxqgFdWeWL5KfIjH9FPaEGEuHVB25xaByBIz3/G3JdYzin
H0ZSqhevRfbVAY5T7JrAk8sKOODKT4dqkqEAoADv7Q1i1MUpZEwCrz0alorhDE9r
Wools3pD33Fyoal5kcSu1ZLTtleUV6r58y4mabxHoi7gHMG13iBVDm3nS4j7olAI
qXRxHvrCysw=
=+ZFw
-----END PGP SIGNATURE-----
--==_Exmh_1364504934_1949P--
