----- Original Message -----
From: "Laszlo Hanyecz" <laszlo@heliacal.net>
If you have links from both ISP A and ISP B and decide to send traffic out ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* drop that traffic on the floor. There is no automated or scalable way for ISP A to distinguish this "legitimate" use from spoofing; unless you consider it scalable for ISP A to maintain thousands if not more "exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases of customers X, Y, and Z sourcing traffic into ISP A's network using IPs allocated to them by other ISPs?
This is a legitimate and interesting use case that is broken by BCP38. The effectiveness of BCP38 at reducing abuse is dubious, but the benefits of asymmetric routing are well understood. Why should everyone have to go out of their way to break this.. it works fine if you just don't mess with it.
Let me see if I have your argument straight: In order to enable an "interesting" use case that is used by maybe well under 1% of end nodes not in PI address space, we should decide *not* to do something which makes it much easier to protect attack targets against well over 75% of incoming attacks of ridiculous (>OC-12) bandwidth? Is that what you're advocating? No. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274