[168767] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Feb 4 14:42:26 2014
In-Reply-To: <CAP-guGWWPrsxxJmWpTF6oEVxukRWZ9Jyb10JCa83HjAQKQ0gcw@mail.gmail.com>
Date: Tue, 4 Feb 2014 14:38:50 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Feb 4, 2014 at 2:28 PM, William Herrin <bill@herrin.us> wrote:
> On Tue, Feb 4, 2014 at 2:08 PM, Doug Barton <dougb@dougbarton.us> wrote:
>> On 02/04/2014 08:04 AM, William Herrin wrote:
>>> If just three of the transit-free networks rewrote their peering
>>> contracts such that there was a $10k per day penalty for sending
>>> packets with source addresses the peer should reasonably have known
>>> were forged, this problem would go away in a matter of weeks.
>>
>> Won't work because no one will sign that contract.
>
> Hi Doug,
>
> Verizon Business is willing to do settlement-free peering with you but
you forgot an IF there, right?
All of these 'get N tierM networks to peer and agree to penalties
amongst eachother in the case of Y happening' discussions sound a LOT
like longdistance settlement regimes. There's a nice fellow in
tcpm/iccrwg in the ietf that's happy to talk a lot about 'red packets'
and 'black packets' and congestion and cost shifting for this sort of
thing. which frankly sounds almost exactly like the conversation about
spoofed packets.
In a world where folk connect to a peering fabric and default-route
toward a peer, or never send routes to a peer yet prefer paths across
that peer... or hell, do this with their ISP network connections. How
does one tell that 'ISPX sent me a packet that is spoofed' ? how does
that hold up in court? (which will happen eventually when the billing
dispute goes south... and will happen months after the event in
question.)
It's a laudable goal, to do some enforcement of bcp38-like functions,
but doing at SFP links is frankly impactical and bound to fail.
Instead, concentrate on the customer edge of the problem and solve
things there, eh?
-chris
