On Wed, Feb 5, 2014 at 2:46 AM, Saku Ytti <saku@ytti.fi> wrote:
If we keep thinking this problem as last-mile port problem, it won't be solved
in next 20 years. Because lot of those ports really can't do RPF and even
if
[snip] The last-mile ports don't necessarily need RPF; a simple inbound access list on the ISP side....... Or even outbound on CPE side, with all valid source addresses allowed, and nothing else: is just perfect. In essence; it is a last-mile problem, and that is part of the challenge. The last-mile is the best possible place to filter, without breaking things. As for the idea, that the world can take a shortcut, and filter in some manner at transit services is tantalizing, but also: is not quite adequate, and that's probably not going to happen either.
[snip]
However transit border doing ACL is something that seems to very
controversial, there is no universal consensus that it even should be
Anything that is likely to blackhole legitimate traffic is going to be controversial. IP source based filtering on transit links may very well fall into that category of greatly increasing that risk in many cases. Restricting the source IP address range in from transit links is a bad idea, unless you can be certain that no other source IPs will show up legitimately, which you cannot necessarily be. If i am a transit provider, and I connect with a peer network buying transit from me, then they get to route traffic over that link: according to the routes my network announced to their router. If my router discards any of that traffic based on source, then the route I propagated to my peer was dishonest --- that is, it would mean my route announcement was a lie: the filtering would in essence make some routes blackhole routes, and I am disrupting the connectivity for the unexpected source addresses, just by turning up that link. Or I am at risk of disrupting connectivity in the future, to any network that my downstream peer later interconnects with, if they will also provide transit in that relationship, and also... it would be a common practice on many networks to turn up such interconnections at a date before I or any other transit upstreams are informed. It is likely from time to time, that many transit downstreams will obtain additional address allocations, or that they will make additional network connections: especially, if in fact, my downstream peer is multihomed, possibly with numerous providers, and they may themselves be a transit provider. At a certain level; "RPF" does not work, because: by design, routing IN and OUT can very well be asymmetric traffic flows for networks that are multihomed. Not announcing the source to a specific network, doesn't make it OKAY for the adjacent transit network to drop traffic from that source.
done and quite few seem to do it. I feel we need to change this, and make community at large agree it is the BCP and solve the challenges presented.
-- -JH