Re: Request for comment -- BCP38

[Mike Hammett <nanog () ics-il net>]

I would assume that on a broadband grade connection it shouldn't work unless you have a niche player and proper LOA. 

I would assume that on a BGP level circuit that it would work, again, given proper documentation (LOAs, IRRDB entry, 
etc.). IRRDBs make this wonderfully easier. By default, deny. Allow whatever is in the IRRDB entry. $250 for manual 
changes. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Hugo Slabbert" <hugo () slabnet com> 
To: "Mike Hammett" <nanog () ics-il net> 
Cc: "John Levine" <johnl () iecc com>, nanog () nanog org 
Sent: Monday, September 26, 2016 11:21:55 AM 
Subject: Re: Request for comment -- BCP38 


On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett <nanog () ics-il net> wrote: 

> > ----- Original Message ----- 
> >
> > From: "John Levine" <johnl () iecc com> 
> > To: nanog () nanog org 
> > Sent: Monday, September 26, 2016 11:04:33 AM 
> > Subject: Re: Request for comment -- BCP38 
> >
> > > If you have links from both ISP A and ISP B and decide to send traffic out 
> > > ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* 
> > > drop that traffic on the floor. There is no automated or scalable way for 
> > > ISP A to distinguish this "legitimate" use from spoofing; unless you 
> > > consider it scalable for ISP A to maintain thousands if not more 
> > > "exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases 
> > > of customers X, Y, and Z sourcing traffic into ISP A's network using IPs 
> > > allocated to them by other ISPs? 
> >
> > I gather the usual customer response to this is "if you don't want our 
> > $50K/mo, I'm sure we can find another ISP who does." 
> >
> > From the conversations I've had with ISPs, the inability to manage 
> > legitimate traffic from dual homed customer networks is the most 
> > significant bar to widespread BCP38. I realize there's no way to do 
> > it automatically now, but it doesn't seem like total rocket science to 
> > come up with some way for providers to pass down a signed object to 
> > the customer routers that the routers can then pass back up to the 
> > customer's other providers. 
> >
> > R's, 
> > John 
> >
> > PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle. 

> Are you talking BGP level customers or individual small businesses' 
> broadband service? 

I myself am talking about the latter and included the option of PI space to 
cover that (although I guess at some point this can be made fly with PA 
space from another provider if both providers are willing enough to play 
ball), though from the $50/mo figure John listed, I'm assuming he's talking 
about the latter. 

Do people really expect to be able to do this on residential or small 
business broadband networks? I can't remember any time in recent memory 
where I assumed I could set a source address to any IP I fancy and have 
that packet successfully make its way through the SP's network. 

> ----- 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
>
> Midwest-IX 
> http://www.midwest-ix.com 

-- 
Hugo Slabbert | email, xmpp/jabber: hugo () slabnet com 
pgp key: B178313E | also on Signal