On (2014-02-05 00:29 -0000), John Levine wrote:
Why does it have to be hard? Restricting the filter to addresses which (A) the customer asserts are theirs
How does the customer do that in a way that scales?
I don't think any of this is rocket science, but it apparently is a real block to BCP38/84 implementatin.
Transit provider can do ACL, in some platforms it can be 100% same object as used for BGP. Then setup ultimate rule to allow and log. Then cooperate with customer to weed through the unexpected, until none remain and flip the allow to deny. But I guess no one is saying it cannot be done, more that there is no pay-off in it. Transit provider is compensated for bits transferred, spending money to receive less money may not appeal to people in charge. You also wrote:
I was at a conference with people from some Very Large ISPs. They told me that many of their large customers absolutely will not let them do BCP38 filtering. ("If you don't want our business, we can find someone else who does.") The usual problem is that they have PA space from two providers and for various reasons, not all of which are stupid, traffic with provider A's addresses sometimes goes out through provider B. Adding to the excitement, some of these customers are medium sized ISPs with multihomed customers of their own.
Someone who worked for such ISP, told they don't accept BCP38, because their business is to sell services to instances who want to spoof for what ever reason. The official reasons told to upstreams are different. He didn't appreciate the business and no longer works for said ISP. If what you say was actual reason, it could be solved by logging ACL. We the community, could produce tooling to automate this in few popular platforms. Automatically builds the ACL, web interface for humans to classify the logged/unknown. When classified by human as legit source, automatically create route object for it. Recreate ACL from route-objects, submit to router. Repeat until human operator is confident no further classification is needed, and ask tool to swap log+permit + deny. Probably takes like maybe 50h development work. -- ++ytti, not it