[93906] in North American Network Operators' Group
Re: Quick BGP peering question
daemon@ATHENA.MIT.EDU (Jeff Aitken)
Wed Jan 3 08:57:48 2007
Date: Wed, 3 Jan 2007 08:56:33 -0500
From: Jeff Aitken <jaitken@aitken.com>
To: James Blessing <james.blessing@entagroup.com>
Cc: 'nanog' <nanog@merit.edu>
In-Reply-To: <459BB15A.70000@entagroup.com>
Errors-To: owner-nanog@merit.edu
On Wed, Jan 03, 2007 at 01:36:26PM +0000, James Blessing wrote:
> Expecting the traffic is not a problem, just want some way of verifying
> that the traffic isn't malicious/spoofed (e.g. by using unicast RPF or
> similar)
Whether or not the customer plans on advertising prefixes via BGP,
your standard contract/AUP should contain a provision that:
(a) requires that the customer provide a list of IP blocks from which
traffic may be sourced, and
(b) allows you to drop any packets with a source IP not in the list.
The mechanism you use to keep track of this info (post-it notes,
email, automated route-registry system, etc.) may be subject to
negotiation, but the underlying requirement should not be.
Ideally, you'd keep all this in a database and auto-generate BOTH
prefix filters (for the BGP session) AND packet filters (for the
interface) every time the customer registered a new route.
--Jeff
