On maandag, sep 1, 2003, at 20:58 Europe/Amsterdam, Terry Baranski wrote:
the rest of the paper is also germane to this thread. just fya, we keep rehashing the UNimportant part of this argument, and never progressing. (from this, i deduce that we must be humans.)
Ok, so we seem to have a general agreement that anti-spoof & BGP prefix filtering on all standard customer edge links is a worthwhile practice.
I think we can use wording a little stronger than this. Allowing invalid (for that customer) prefixes or source addresses has the potential to cause significant problems.
Now what? Is there any hope of this ever happening on a very large scale without somehow being mandated? (Not that it necessarily should be mandated.) How much success have Barry Green and co. had? Is there something the rest of us could be doing?
Well, one thing that would work well if one or more of the large networks start doing it: de-peer if you see this kind of stuff from your peers. I enabled access-list 123 deny ip 192.168.0.0 0.0.255.255 any log-input on an interface towards an internet exchange, and I got a significant number of hits, most notably from several large cable ISPs. Obviously this is going to happen much faster as soon as someone figures out that if you have your own high-capacity global network, you're in a relatively good position to clean up DoS for your customers on a structural basis and thus charge more per Mbit.