On Thu, Mar 29, 2001 at 09:31:31PM -0800, John Payne wrote:
If a global transit free network can ingress filter all of their customers, without CPU or other logistic problems, I'd be surprised if the majority of ISPs on this list can't do otherwise. OK, if you're UUNET and providing connectivity to a load of ISPs, you might not be able to filter those customers, but you can require that they filter their customers.
I'm not saying that some or most ISP's can't do it, I'm saying that not _ALL_ can, so the global statements that there is no reason not to do not apply. Many people have older hardware that works just fine for customer traffic but would not stand up to filters. If I'm pressed to choose between a router/switch that does a better job of providing connectivity to my customers and one that can do line speed ACL's.. You know which one I'll choose. I'm not going to chose my hardware just because it can filter. Even Cisco is releasing hardware that can't do what you are saying, go look at the Engine 4 card, the latest, greatest from Cisco. Should I stop my network deployment just to be able to filter? Should I take the depreciation hit just so I can filter customers in the future and dump these cards, losing my investment? I can't see it, sorry.
Now that's a very broad statment that's just not true. There are reasons that packets with a source address not assigned to an ISP may come across the link and be valid, look at DirectPC.
"Apart from the address block we've assigned you, will you be using addresses in netblocks of other providers? For example, you might have a connection to another ISP, or you might be using DirectPC"
That's fine, but do you do it with everyone? For example I have a T1 and DSL in my house, my DSL provider could care less that I have another connection, but if I feel like it, is there any reason I shouldn't send traffic out the DSL link that is source from IP's only routed over my T1?
Past that if the customer has customers who have blocks assigned from other providers, this becomes a huge and almost impossible to manage real-time list. Big filter lists hit router cpu's, and cost human time. And remember this isn't like filtering BGP customers where if the route doesn't get through it's not always a big deal, you are _dropping_ packets that may be valid.
And the CPU cost is tiny. Netflow switching reduces it even more.
That's wholy dependent on the hardware fire up some filters on a Engine 4 card and tell me this :) -- ------------------------------------------------------------------------------- : Steven Noble / Network Janitor / Be free my soul and leave this world alone : : My views = My views != The views of any of my past or present employers : -------------------------------------------------------------------------------