Entirely agreed. On the other hand I have what is turning out to be a unique (here) point of view about this. I don't want to prevent this kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice. I appear to be in the minority wrt this view.
This is a great idea. But do you have any idea how much expert engineer time is involved in tracking down theft of this sort? Most of our employers would much rather spend that resource on tackling the big problems.
Actually, I think the best way to do this would be to sample source/destination address pairs from packets passing through all your edge routers, and then to use a snapshot of the `normal' routing through your network to reduce this to a matrix of traffic loads between all entrance and exit points in your network. The tool that was doing this could then immediately detect unauthorized transit by looking for significant traffic loads where neither end is rooted at one of your customers. The reason that one's employer might (and certainly should) be keen to do this even at the expense of a substantial amount of high-priced talent is that the ingress-egress traffic matrix you measure this way can also be used to predict the effect of link metric changes on your link loads before you make the changes, or to predict the load you'll see on new circuits and the load relief on existing circuits before purchasing and installing the new ones, and where to best place new circuits to maximize their benefit, all things which the measurement of interface loads alone can't help you with. Hence the data you need to measure to detect unauthorized use is also precisely the data you need to do traffic engineering in a network of routers, both in the core of the network (if you haven't installed an ATM/FR core in the center of the network to measure this already) and to engineer interconnect traffic (which even a switched core infrastructure doesn't help with). I think the fact that one can't detect unauthorized transit currently is hence very sad, less because I think unauthorized transit is serious (though I do) than because the unavailability of this data also pretty much limits one to doing traffic engineering by gut-instinct trial-and-error, with increasing probability of getting it increasingly wrong as the topological complexity of the network goes up (I know this from experience...). There is more than one reason to want to have very accurate knowledge of where traffic in your network is coming from and going to, the need for edge filtering in lieu of detection is a symptom of a more basic failure. Dennis Ferguson