Phil Howard wrote:
Jon Lewis writes...
Why is it that the NSPs I've encountered refuse to do any sort of sanity filtering on their customer connections? i.e. If UUNet knows that FDT has only 205.229.48/20 and 208.215.0/20, why should they let me send traffic through their network with random source addresses?
I'm assuming that they don't want to overload their router with all that extra filtering, especially on the interface inbounds.
There's more to consider. The choice of routing gear and router software can allow filtering without adversely affecting performance.
OTOH, I've always believed that all routers should be required to apply routing decisions first to the source address and determine if the interface it arrived on is at least a valid return path (not necessarily best) and if not, drop the packet. Then do the destination work.
We considered this in the first published draft of: draft-ferguson-ingress-filtering-02.txt but ultimately removed this from the text. The return path is often not the same as the forward path, thanks to the BGP policies through the core routers. In many cases, alternate paths will not be known.
Again, too much work for the routers to do.
No. It IS work, but a router and/or router software designed to handle this capability is NOT a hard thing. If that's an important feature, then the hardware and software CAN be designed that perform these functions efficiently. -- ------------------------------------------------------- Daniel Senie dts@openroute.com OpenROUTE Networks, Inc. http://www.openroute.com/ 508-898-2800