On (2013-03-30 11:39 -0400), Jay Ashworth wrote:
But there's no way for an upstream transit carrier to know that *at the present time*.
We expect our customers to mark any customers they have in their AS-SET. And we filter BGP announcements and we ACL traffic based on that. I know mandating strict IRR is not practical to everyone today. But for me, it's practical. Sometimes I need to educate customers how to create route object or AS-SET. At least every non-stubby ASN facing stubby ASN should be able to do strict IRR. This is about 6000 networks. Compared to other options: 1) close recursive name servers - even if all are closed, attack vector is virtually the same, as large RR can be found in arbitrary authorative due to DNSSEC - snmpbulkwalk - UDP du jour 2) implement uRPF at last mile - hundreds of millions of ports, many of them running on autopilot, good chunk of them will never ever support uRPF Obviously if we could choose 2) it would be best, but we can't choose it. -- ++ytti