[168782] in North American Network Operators' Group
Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Octavio Alvarez)
Tue Feb 4 18:00:36 2014
Date: Tue, 04 Feb 2014 15:00:18 -0800
From: Octavio Alvarez <alvarezp@alvarezp.ods.org>
To: John Levine <johnl@iecc.com>, nanog@nanog.org
In-Reply-To: <20140204221821.57348.qmail@joyce.lan>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 04/02/14 14:18, John Levine wrote:
> I was at a conference with people from some Very Large ISPs. They
> told me that many of their large customers absolutely will not let
> them do BCP38 filtering. ("If you don't want our business, we can
> find someone else who does.") The usual problem is that they have PA
> space from two providers and for various reasons, not all of which
> are stupid, traffic with provider A's addresses sometimes goes out
> through provider B. Adding to the excitement, some of these
> customers are medium sized ISPs with multihomed customers of their
> own.
I haven't read it all, but section 3 says:
> However, by restricting transit traffic which originates from a
> downstream network to known, and intentionally advertised,
> prefix(es), the problem of source address spoofing can be virtually
> eliminated in this attack scenario.
If ISP has customer A with multiple *known* valid networks --doesn't
matter if ISP allocated them to customer or not-- and ISP lets them all
out, but filters everything else, ISP is still complying with BCP 38.
Here it's not a matter of blocking "just because". It's blocking unknown
addresses. It doesn't either mean that ISP should not open the filters
if a new prefix is requested by the customer.
