On Tue, Feb 4, 2014 at 5:18 PM, John Levine <johnl@iecc.com> wrote:
I was at a conference with people from some Very Large ISPs. They told me that many of their large customers absolutely will not let them do BCP38 filtering. ("If you don't want our business, we can find someone else who does.") The usual problem is that they have PA space from two providers and for various reasons, not all of which are stupid, traffic with provider A's addresses sometimes goes out through provider B.
Then: (A) It isn't spoofed traffic. The relevant block of ISP A's addresses should be permitted in ISP B's filter. It shouldn't even need much in the way of verification: confirm that the requested block is either relatively small and not obviously registered to someone else in rwhois, or confirm that it is registered to the customer in rwhois. (B) When it comes time to apply a penalty up at the peering sessions, those packets aren't eligible. The penalty can be refuted and, if based on those particular source addresses, dropped.
I don't know BGP well enough to know if it's possible to send out announcements for this situtation, this address range is us, but don't route traffic to it.
No. A BGP option could be added to support this, but in many cases the blocks in question are smaller than /24. The advertisements would end up filtered anyway. There really isn't a good technical solution to automated filtering at the reciprocal peering level. That part only works at the customer edge. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004