[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tier 2 ingress filtering

Subject: Tier 2 ingress filtering
From: fergdawgster at gmail.com (Paul Ferguson)
Date: Thu, 28 Mar 2013 12:42:30 -0700
In-reply-to: <[email protected]>
References: <CAP-guGVH4jmJ+=sALfCTwK3ttw=ULkEvcO2N0pMrefbaE2TP4g@mail.gmail.com> <[email protected]>

On Thu, Mar 28, 2013 at 12:27 PM, Jay Ashworth <jra at baylink.com> wrote:

> ----- Original Message -----
>> From: "William Herrin" <bill at herrin.us>
>
>> So, you represent to your ISP that you're authorized to use a certain
>> range of addresses. He represents to his upstream that he's authorized
>> to use them on your behalf, and so on.
>
> The former is a first-hand transaction: if you're lying to your edge
> carrier, he can cut you off with no collateral damage.
>

Of course, he has to notice it first. :-)

ObOpinion: It's best to *enforce* a policy which disallows a
downstream network from sourcing spoofed packets -- and the closer to
the "edge" you are, the better, Hierarchy is great for that. :-)

I guess the next best thing is "Trust but verify"?

- ferg

-- 
"Fergie", a.k.a. Paul Ferguson
 fergdawgster(at)gmail.com

Follow-Ups:
- Tier 2 ingress filtering
  - From: jra at baylink.com (Jay Ashworth)

References:
- Tier 2 ingress filtering
  - From: bill at herrin.us (William Herrin)
- Tier 2 ingress filtering
  - From: jra at baylink.com (Jay Ashworth)

Prev by Date: Tier 2 ingress filtering
Next by Date: Tier 2 ingress filtering
Previous by thread: Tier 2 ingress filtering
Next by thread: Tier 2 ingress filtering
Index(es):
- Date
- Thread