[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

Subject: Tier 2 ingress filtering
From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
Date: Thu, 28 Mar 2013 17:16:48 +0000
In-reply-to: <[email protected]>
References: <[email protected]>

is there a clear understanding of  "the edge" in the network operations 
community?  in a simpler world, it was not that difficult, but interconnect
has blossomed and grown all sorts of noodly appendages/extentions.  I fear
that edge does not mean what you think it means anymore.

/bill



On Thu, Mar 28, 2013 at 01:07:24PM -0400, Jay Ashworth wrote:
> In the current BCP38/DDoS discussions, I've seen a lot of people suggesting 
> that it's practical to do ingress filtering at places other than the edge.
> 
> My understanding has always been different from that, based on the idea
> that the carrier to which a customer connects is the only one with which
> that end-site has a business relationship, and therefore (frex), the only
> one whom that end-site could advise that they believe they have a valid
> reason to originate traffic from address space not otherwise known to
> the carrier; jack-leg dual-homing, for example, as was discussed in still
> a third thread this week.
> 
> The edge carrier's *upstream* is not going to know that it's reasonable
> for their customer -- the end-site's carrier -- to be originating traffic
> with those source addresses, and if they ingress filter based on the 
> prefixes they route down to that carrier, they'll drop that traffic...
> 
> which is not fraudulent, and has a valid engineering reason to exist and
> appear on their incoming interface.
> 
> Fixing that will require the construction of an entirely new tracking system
> at the Tier 2, which is not really the case for the Tier 3 edge carrier,
> as I see it - you generally just turn unicast-rpf on for everyone's port,
> unless you have a signed waiver in your file cabinet, in which case
> you turn it off.
> 
> Am I missing something?
> 
> Or is the overarching problem large enough that people are willing to
> throw the baby out with the bathwater?
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                       jra at baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
> St Petersburg FL USA               #natog                      +1 727 647 1274

References:
- Tier 2 ingress filtering
  - From: jra at baylink.com (Jay Ashworth)

Prev by Date: BCP38 - Internet Death Penalty
Next by Date: Tier 2 ingress filtering
Previous by thread: Tier 2 ingress filtering
Next by thread: Tier 2 ingress filtering
Index(es):
- Date
- Thread