[52665] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that smell?)
daemon@ATHENA.MIT.EDU (Danny McPherson)
Tue Oct 8 11:35:51 2002
To: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Date: Tue, 08 Oct 2002 09:30:10 -0600
Errors-To: owner-nanog-outgoing@merit.edu
> If there is a magic solution, I would love to hear about it.
I strongly doubt any of the large providers perform dataplane source
address validation from peers. Heck, I doubt any perform explicit
route filtering on routes learned from peers at the control plane.
Ideally, one would first employ some mechanism to generate
*explicit* ingress BGP route filters. With BGP Route Refresh
the largest offshoot (manual session reset or "bouncing the
route") is no longer necessary.
From there, you could either use BGP's Adj-RIBs-In in some
uRPFish thing, or employ the same set of BGP route filters
for source address filters.
Of course, then the lack of registry route object integrity,
secure update mechanism, etc.., etc... comes to question.
-danny
