[191734] in North American Network Operators' Group
Re: Request for comment -- BCP38
daemon@ATHENA.MIT.EDU (John Levine)
Mon Sep 26 12:08:19 2016
X-Original-To: nanog@nanog.org
Date: 26 Sep 2016 16:04:33 -0000
From: "John Levine" <johnl@iecc.com>
To: nanog@nanog.org
In-Reply-To: <20160926151254.GH16464@bamboo.slabnet.com>
Errors-To: nanog-bounces@nanog.org
>If you have links from both ISP A and ISP B and decide to send traffic out
>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should*
>drop that traffic on the floor. There is no automated or scalable way for
>ISP A to distinguish this "legitimate" use from spoofing; unless you
>consider it scalable for ISP A to maintain thousands if not more
>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases
>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs
>allocated to them by other ISPs?
I gather the usual customer response to this is "if you don't want our
$50K/mo, I'm sure we can find another ISP who does."
From the conversations I've had with ISPs, the inability to manage
legitimate traffic from dual homed customer networks is the most
significant bar to widespread BCP38. I realize there's no way to do
it automatically now, but it doesn't seem like total rocket science to
come up with some way for providers to pass down a signed object to
the customer routers that the routers can then pass back up to the
customer's other providers.
R's,
John
PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.
