On Wed, Mar 27, 2013 at 11:02 AM, Jack Bates <jbates@brightok.net> wrote:
It's also not a bad idea for an ISP to deploy EGRESS filters if they do not offer BGP Transit services.
Nor is it a bad idea for their upstream to inquire as to whether the downstream offers BGP transit services and apply INGRESS filters if they do not.
This way they are not depending on their transit providers to handle spoof protection and they cover their entire network regardless of last mile ingress filtering. This doesn't generally work well when doing transit services of any size due to the number of egress filter updates you'd have to issue, but it is great for the small/medium ISP.
Build a web page where a downstream can set the filters on his interface at his convenience. Apply some basic sanity checks against wide-open. Worry about small lies from a forensic after-the-fact perspective. This problem has a trivial technology-only solution. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004