Tier 2 ingress filtering

[jlewis at lewis.org (Jon Lewis)]

On Thu, 28 Mar 2013, Jay Ashworth wrote:

> C'mon guys: the edge is where people who *source and sink* packets
> connect to people who *move* packets.  There may be some edges *inside*
> carriers, but there is certainly an edge where carriers hook up customers.
>
> And no, this should apply to business-grade connections as much as resi.

I tested several days ago and was surprised/impressed to find that my home 
cable provider does not allow me to spoof.

AFAICR, all of the Tier1/Tier2 providers I've dealt with over the years 
(UUNet, Sprintlink, C&W, MCI, Digex, Intermedia, Abovenet, Level3, 
TWTelecom, Cogent, BHN, I'm probably forgetting a few) have done BGP 
prefix-list filters on their transit customers.  If they know what routes 
you might want to announce to them, wouldn't it be reasonable to use that 
same list of prefixes (in the vast majority of cases) as the basis for an 
input ACL on your interface?

It'd be extra work for the T1/T2 networks to do this, and arguably, all 
the customer networks should be doing it inside their own networks, but we 
all know that not everyone who buys a connection and configures BGP has 
half a clue, and for the ones that do, we can all appreciate the idea of a 
belt and suspenders.

It's time for people to stop passing the buck on BCP38 (we don't do it, 
because it really ought to be done at that other level) and start 
implementing it where possible.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________