It seems to reason that if people started filtering RFC-1918 on their edge, we would see a noticable amount of traffic go away. Simulation models I've been running show that an average of 12 to 18 percent of a providers traffic would disappear if they filtered RFC-1918 sourced packets. The percentage ranges scale with the size of the provider. Smaller providers, less impact, larger providers more impact. In addition to the bandwidth savings, there is also a support cost reduction and together, I believe backbone providers can see this on the bottom line of their balance sheets. We have to start someplace. There is no magic answer for all cases. RFC-1918 is easy to admin, and easy to deploy, in relative terms compared to uRPF or similar methods. For large and small alike it can be a positive marketing tool, if properly implemented. john brown On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
On Tue, 8 Oct 2002, Joe Abley wrote:
What is difficult about dropping packets sourced from RFC1918 addresses before they leave your network?
I kind of assumed that people weren't doing it because they were lazy.
I've checked the marketing stuff of several backbones, as far as I could tell only one makes the blanket statement about source address validation on their entire network.
http://www.ipservices.att.com/backbone/techspecs.cfm
AT&T has also implemented security features directly into the backbone. IP Source Address Assurance is implemented at every customer point-of-entry to guard against hackers. AT&T examines the source address of every inbound packet coming from customer connections to ensure it matches the IP address we expect to see on that packet. This means that the AT&T IP Backbone is RFC2267-compliant.
What backbones do 100% source address validation? And how much of it is real, and how much is marketing? On single-homed or few-homed stub networks its "easy." But even a moderately complex transit network it becomes "difficult." Yes, I know about uRPF-like stuff, but the router vendors are still tweaking it.
If there is a magic solution, I would love to hear about it. Unfortunately, the only solutions I've seen involve considerable work and resources to implement and maintain all the "exceptions" needed to do 100% source address validation.
Heck, the phone network still has trouble getting the correct Caller-ID end-to-end.