[191736] in North American Network Operators' Group
Re: Request for comment -- BCP38
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Mon Sep 26 12:30:31 2016
X-Original-To: nanog@nanog.org
Date: Mon, 26 Sep 2016 09:21:55 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: Mike Hammett <nanog@ics-il.net>
In-Reply-To: <303915647.1728.1474906508724.JavaMail.mhammett@ThunderFuck>
Cc: John Levine <johnl@iecc.com>, nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--gJNQRAHI5jiYqw2y
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett <nanog@ics-il.net> wrote:
>>
>>----- Original Message -----
>>
>>From: "John Levine" <johnl@iecc.com>
>>To: nanog@nanog.org
>>Sent: Monday, September 26, 2016 11:04:33 AM
>>Subject: Re: Request for comment -- BCP38
>>
>>>If you have links from both ISP A and ISP B and decide to send traffic o=
ut
>>>ISP A's link sourced from addresses ISP B allocated to you, ISP A *shoul=
d*
>>>drop that traffic on the floor. There is no automated or scalable way for
>>>ISP A to distinguish this "legitimate" use from spoofing; unless you
>>>consider it scalable for ISP A to maintain thousands if not more
>>>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the ca=
ses
>>>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs
>>>allocated to them by other ISPs?
>>
>>I gather the usual customer response to this is "if you don't want our
>>$50K/mo, I'm sure we can find another ISP who does."
>>
>>From the conversations I've had with ISPs, the inability to manage
>>legitimate traffic from dual homed customer networks is the most
>>significant bar to widespread BCP38. I realize there's no way to do
>>it automatically now, but it doesn't seem like total rocket science to
>>come up with some way for providers to pass down a signed object to
>>the customer routers that the routers can then pass back up to the
>>customer's other providers.
>>
>>R's,
>>John
>>
>>PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.
>>
>Are you talking BGP level customers or individual small businesses'=20
>broadband service?
I myself am talking about the latter and included the option of PI space to=
=20
cover that (although I guess at some point this can be made fly with PA=20
space from another provider if both providers are willing enough to play=20
ball), though from the $50/mo figure John listed, I'm assuming he's talking=
=20
about the latter.
Do people really expect to be able to do this on residential or small=20
business broadband networks? I can't remember any time in recent memory=20
where I assumed I could set a source address to any IP I fancy and have=20
that packet successfully make its way through the SP's network.
>
>-----
>Mike Hammett
>Intelligent Computing Solutions
>http://www.ics-il.com
>
>Midwest-IX
>http://www.midwest-ix.com
--=20
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal
--gJNQRAHI5jiYqw2y
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJX6UsjAAoJEFsnhBAb2KmA+EoP/2XhChl54t6zieKuTAZur3td
57FD2NfpOSqPeizT2it+Ab43muAkOZxzl3PNR++RSw+7SoCk+wCiVeMsLP9XyE3h
R1r1UXAvRD4SaoqCJJPH5ZuurzovH66dwsIQ8dmn+P8Jfagw6eXMsgmjadPQb87i
ILhGWXeM7OJR/wFq/VKElOsQOPlllD/g8YWi4zlzSywFbELXpge3Mr/4L/or+/R7
UEkmBeXmIMbrm0XeYJWhMzNLAyXRWWioO/ODsMuT/2+siN4FYo2ZxXnT3BP5tRFu
eBzZcRUYPcUxblkLqxXdOdtRrE5TjD2bbVB+Vpet/Gpl5Gc1cTeI42nRniWrnmXH
Sq97EEu8Yzg6huGLvHwT5R2a7eRaGyyHtJysRypRmo3qnjTttjHUF2r+PwfoObJB
y2kgaD8IVTzO3mchv7Kikst+h8nX9G9c1wFTS8vbesKJ68HT+zYLmhZVfVbN39vX
DfWLkX52mu6T6JT9r+podXyBAu2uxN2F0FL5S3Rk2+tOPZKrrRdVcZb+OvjLIZnk
vsNbYXn/PRRC4gSFGzDorDRx+KEJvYQkH5dvigcbZlg6TdfpgCPLZdMX5scTplFv
MTamzzoxcl8kRhoQRV3tvZBhI/KoIceqKMeq9a5lQRuYN4JlQPlO4MgmgCMUrvJV
AEEDuAc2i362kG7X9ykq
=nSlw
-----END PGP SIGNATURE-----
--gJNQRAHI5jiYqw2y--
