Yeah, that's what I meant: ingress filter all edge connections except maybe BGP, and accept optout requests. Valdis.Kletnieks@vt.edu wrote:
----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu> For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and cable connections, it's still the edge and still trivially filterable. If
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said: that's a
problem, the ISP can upsell a business-class connection that doesn't filter. ;)
C'mon guys: the edge is where people who *source and sink* packets connect to people who *move* packets. There may be some edges *inside* carriers, but there is certainly an edge where carriers hook up customers.
Exactly - packets leaving Comcast's network and going to another tier 1/2, the receiver may have a hard time figuring out if the packet is legit or not. But it's trivial for Comcast to tell whether the packet that just came out my cablemodem is consistent with what their DHCP server told my CPE. (For the record, the last time I tried running the spoofer.sail stuff on my home gear, it was totally unable to sneak a packet out, so at least part of Comcast does this right).
And the fact that there's places where it *is* hard to deploy isn't an excuse for not doing it in the 98% of places where it's a slam dunk.
And no, this should apply to business-grade connections as much as resi.
Oh, I was intending *those* would be filtered by default as well, but you could request an opt-out if you were trying to do multi-homing on the cheap as some people have suggested (similar to blocking outbound 25 by default, unless the user actually has a mail server).
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.