On Sat, Nov 28, 2009 at 09:41:09AM -0600, Joe Greco wrote: [attributions lost]
I'm reasonable certain a customer of ours who is using one of our netblocks is using a different reverse path to reach us. How might I figure out who is allowing them to source traffic from IPs that belong to us? you are implying that they are not allowed to multi-home using the ip space you have assigned to them. good way to lose a customer. Does it count as multihoming when we are the only ones announcing the space?
almost an interesting question. but i think it is playing with words. if i understand your original statement, they are clearly attached to at least two providers.
perhaps it is fear of what they, possibly mistakenly, perceive to be your policy regarding announcement of space that keeps them from announcing normally to both, or more, links?
It wasn't clear that the customer was a BGP downstream though by saying 'We are the only ones announcing the space', I think not. Non-BGP multihoming is broken* and when not done out of ignorance generally is the smoke pointing to the fire of someone trying to hide something. Was very common for spammers to abuse no-uRPF networks in the early days of broadband.
It could also be something simple like pricing. For example, in a large colo facility, you might easily find that a number of providers offer low cost transit, but not IP space. For a customer who is heavy on the outbound traffic, they might find it more affordable to buy their inbound plus IP space from you, and then dump onto Cogent or something like that for outbound. Unless your contract specifically prohibits this, you're probably not going to be able to prevent it.
I wonder if there is a drift of baseline assumptions between the current wave of operators and previous ones? To me (and BCP38) it is beyond bad practice to allow -and if allowed, to make use of- such sloppy edges. If the other network truly is practicing bad forwarding hygiene then they are a security problem for everyone else and IMO would be good for naming and shaming. Cheers, Joe * for the majority of the cases. I know there are purposeful Non-BGP MOAS/anycast purposefully run by those who understand the implications. It is unfortunate that their use of lack of inherent BGP path security contribute to fuzzing what would otherwise have been a clear indicator of 'bad' behavior. But same could be said for the deaggregators using longest-match to have everyone else do their TE; water under the bridge pushing work onto everyone else. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE