[168778] in North American Network Operators' Group
Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Tue Feb 4 17:28:15 2014
Date: Tue, 04 Feb 2014 14:27:55 -0800
From: Paul Ferguson <fergdawgster@mykolab.com>
To: John Levine <johnl@iecc.com>
In-Reply-To: <20140204221821.57348.qmail@joyce.lan>
Cc: nanog@nanog.org
Reply-To: fergdawgster@mykolab.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2/4/2014 2:18 PM, John Levine wrote:
>>>> If just three of the transit-free networks rewrote their
>>>> peering contracts such that there was a $10k per day penalty
>>>> for sending packets with source addresses the peer should
>>>> reasonably have known were forged, this problem would go away
>>>> in a matter of weeks.
>>>
>>> Won't work because no one will sign that contract.
>
> Oh, right, how hard can it be to put a bell on that pesky cat?
>
>
> I was at a conference with people from some Very Large ISPs. They
> told me that many of their large customers absolutely will not let
> them do BCP38 filtering. ("If you don't want our business, we can
> find someone else who does.") The usual problem is that they have
> PA space from two providers and for various reasons, not all of
> which are stupid, traffic with provider A's addresses sometimes
> goes out through provider B. Adding to the excitement, some of
> these customers are medium sized ISPs with multihomed customers of
> their own.
>
> I don't know BGP well enough to know if it's possible to send out
> announcements for this situtation, this address range is us, but
> don't route traffic to it. Even if it is, not all of the customers
> do BGP, some are just stub networks.
>
> If we could figure out a reasonable way (i.e., one that the
> customers might be willing to implement) to handle this, it'll make
> BCP38 a lot more doable.
>
BCP84? :-)
- - ferg
- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlLxaWoACgkQKJasdVTchbIy9AD/eILZC1RBKpcnSGfYvmWhkmiF
L1egq0XmR2EqlG9ta5ABALrHWUwaV0COd5I6Mz6vZL2Zoa2AkO1w7DC6hvcGAIkM
=R7VB
-----END PGP SIGNATURE-----
