nanog mailing list archives

Re: Tier 2 ingress filtering

From: Jay Ashworth <jra () baylink com>
Date: Thu, 28 Mar 2013 15:47:19 -0400 (EDT)

----- Original Message -----

From: "Saku Ytti" <saku () ytti fi>

On (2013-03-28 13:07 -0400), Jay Ashworth wrote:

The edge carrier's *upstream* is not going to know that it's reasonable
for their customer -- the end-site's carrier -- to be originating traffic
with those source addresses, and if they ingress filter based on the
prefixes they route down to that carrier, they'll drop that
traffic...


Question is, is it reasonable to expect customer to know what networks
they have.


If by "customer" you mean the same thing I do: an end user who sources
and sinks packets, which is fed by some Internet Access Provider... 

then my answer is the same thing it was before: 

"No, but it doesn't matter, because we're talking about ingress filters
on the carrier which provides them with public address space, and *it*
*does* know which network they've been given."

If yes, then you can ask them to create route objects and then you can
BGP
prefix-filter and ACL on them. I do both, and it has never been
problem to
my customers (enterprises, CDNs, eyeballs).


You are at least 30,000 feet higher than the conversation I'm having.

BGP-speaking end sites are a whole different matter, and sufficiently
smaller in number (2-5 orders of magnitude, depending on what you sell)
that they're not really pertinent here.

But if your customer has many other transit customer it can quickly become
less practical. I'm sure for many/most customers of tier1 it would not
be reasonable expects to keep such list up-to-date.


Correct, and this was the substance of my question.

You can't do it at top-level nor it's not practical to hope that some
day BCP38 is done in reasonably many last-mile port.


I don't know that that's true, actually; unicast-rpf does, as I understand
it, most of the work, and is in most of the current firmware.

But there are only 6000 non-stubby networks, if you do it at network
before stubby network, it's entirely practical and maintainable, provided
we'd want to do it.


Your assertion is the thing for which I'm requesting support in this query.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

Current thread:

Re: Tier 2 ingress filtering, (continued)
- - - Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
    - Re: Tier 2 ingress filtering Valdis . Kletnieks (Mar 28)
    - Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
    - Re: Tier 2 ingress filtering Jon Lewis (Mar 28)
    - Re: Tier 2 ingress filtering goemon (Mar 28)
- Re: Tier 2 ingress filtering William Herrin (Mar 28)
  - Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
    - Re: Tier 2 ingress filtering Paul Ferguson (Mar 28)
    - Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
- Re: Tier 2 ingress filtering Saku Ytti (Mar 28)
  - Re: Tier 2 ingress filtering Jay Ashworth (Mar 28)
    - Re: Tier 2 ingress filtering Saku Ytti (Mar 28)
    - Re: Tier 2 ingress filtering Rajiv Asati (rajiva) (Mar 28)
    - Re: Tier 2 ingress filtering Saku Ytti (Mar 28)
    - Re: Tier 2 ingress filtering Jeff Kell (Mar 28)
  - Re: Tier 2 ingress filtering Tore Anderson (Mar 29)
    - Re: Tier 2 ingress filtering William Herrin (Mar 29)
    - Re: Tier 2 ingress filtering Patrick (Mar 29)
    - Re: Tier 2 ingress filtering Alejandro Acosta (Mar 29)
    - Re: Tier 2 ingress filtering William Herrin (Mar 29)
    - Re: Tier 2 ingress filtering Alejandro Acosta (Mar 30)

(Thread continues...)