nanog mailing list archives

Re: Tier 2 ingress filtering - folo

From: Saku Ytti <saku () ytti fi>
Date: Sat, 30 Mar 2013 18:34:25 +0200

On (2013-03-30 11:39 -0400), Jay Ashworth wrote:

But there's no way for an upstream transit carrier to know that *at the present
time*.


We expect our customers to mark any customers they have in their AS-SET.
And we filter BGP announcements and we ACL traffic based on that.

I know mandating strict IRR is not practical to everyone today. But for me,
it's practical. Sometimes I need to educate customers how to create route
object or AS-SET.

At least every non-stubby ASN facing stubby ASN should be able to do strict
IRR. This is about 6000 networks. Compared to other options:

1) close recursive name servers
  - even if all are closed, attack vector is virtually the same, as large
    RR can be found in arbitrary authorative due to DNSSEC
  - snmpbulkwalk
  - UDP du jour

2) implement uRPF at last mile
  - hundreds of millions of ports, many of them running on autopilot, good
    chunk of them will never ever support uRPF

Obviously if we could choose 2) it would be best, but we can't choose it.

-- 
  ++ytti

Current thread:

Re: Tier 2 ingress filtering, (continued)
- - Re: Tier 2 ingress filtering Tore Anderson (Mar 29)
    - Re: Tier 2 ingress filtering William Herrin (Mar 29)
    - Re: Tier 2 ingress filtering Patrick (Mar 29)
    - Re: Tier 2 ingress filtering Alejandro Acosta (Mar 29)
    - Re: Tier 2 ingress filtering William Herrin (Mar 29)
    - Re: Tier 2 ingress filtering Alejandro Acosta (Mar 30)
    - Re: Tier 2 ingress filtering Saku Ytti (Mar 30)
- Re: Tier 2 ingress filtering Jimmy Hess (Mar 28)
  - Re: Tier 2 ingress filtering Jared Mauch (Mar 28)
- Re: Tier 2 ingress filtering - folo Jay Ashworth (Mar 30)
  - Re: Tier 2 ingress filtering - folo Saku Ytti (Mar 30)