* Saku Ytti
Question is, is it reasonable to expect customer to know what networks they have. If yes, then you can ask them to create route objects and then you can BGP prefix-filter and ACL on them. I do both, and it has never been problem to my customers (enterprises, CDNs, eyeballs).
I've had some problems with my upstream providers' ingress filtering, for example: - Traffic sourced from a prefix announced as a more-specific route at transit connection in location A got filtered on a transit connection in location B, where only a greater aggregate was announced. - A GRE tunnel anchored in my routers' addresses in the eBGP link network (part of my provider's address space) stopped working, as my outbound packets was dropped by the provider's ingress filtering. - Traceroutes that reaches my network through provider A show one missing hop if my best return path back to the traceroute source is through provider B, and provider B is doing ingress filtering. This is because the ICMP TTL/HL exceeded packet is sourced from provider A's address space (my router's interface address in the eBGP link net). AFAIK, you represent one of my upstream providers, so sorry, but saying your customers have never had problems with your ingress filtering isn't entirely accurate. Everything works fine now, though. Best regards, -- Tore Anderson