[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Request for comment -- BCP38

Subject: Request for comment -- BCP38
From: johnl at iecc.com (John Levine)
Date: 26 Sep 2016 16:04:33 -0000
In-reply-to: <[email protected]>

>If you have links from both ISP A and ISP B and decide to send traffic out 
>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* 
>drop that traffic on the floor.  There is no automated or scalable way for 
>ISP A to distinguish this "legitimate" use from spoofing; unless you 
>consider it scalable for ISP A to maintain thousands if not more 
>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases 
>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs 
>allocated to them by other ISPs?

I gather the usual customer response to this is "if you don't want our
$50K/mo, I'm sure we can find another ISP who does."

>From the conversations I've had with ISPs, the inability to manage
legitimate traffic from dual homed customer networks is the most
significant bar to widespread BCP38.  I realize there's no way to do
it automatically now, but it doesn't seem like total rocket science to
come up with some way for providers to pass down a signed object to
the customer routers that the routers can then pass back up to the
customer's other providers.

R's,
John

PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.

Follow-Ups:
- Request for comment -- BCP38
  - From: nanog at ics-il.net (Mike Hammett)

References:
- Request for comment -- BCP38
  - From: hugo at slabnet.com (Hugo Slabbert)

Prev by Date: Request for comment -- BCP38
Next by Date: Request for comment -- BCP38
Previous by thread: Request for comment -- BCP38
Next by thread: Request for comment -- BCP38
Index(es):
- Date
- Thread