On 04/02/14 14:18, John Levine wrote:
I was at a conference with people from some Very Large ISPs. They told me that many of their large customers absolutely will not let them do BCP38 filtering. ("If you don't want our business, we can find someone else who does.") The usual problem is that they have PA space from two providers and for various reasons, not all of which are stupid, traffic with provider A's addresses sometimes goes out through provider B. Adding to the excitement, some of these customers are medium sized ISPs with multihomed customers of their own.
I haven't read it all, but section 3 says:
However, by restricting transit traffic which originates from a downstream network to known, and intentionally advertised, prefix(es), the problem of source address spoofing can be virtually eliminated in this attack scenario.
If ISP has customer A with multiple *known* valid networks --doesn't matter if ISP allocated them to customer or not-- and ISP lets them all out, but filters everything else, ISP is still complying with BCP 38. Here it's not a matter of blocking "just because". It's blocking unknown addresses. It doesn't either mean that ISP should not open the filters if a new prefix is requested by the customer.