jl> I'm not saying UUNet should install whatever filters I want on their jl> routers. I'm just saying the net would be a MUCH nicer place if NSP's all jl> did ingress filtering on their customer connections. If current routers jl> can't handle the load this would create, then NSP's need to find vendors jl> willing to deliver the necessary power, or they need to rethink the way jl> they design their networks. randy> Most of my customers have customers who in turn have randy> customers, not a few of whom are multi-homed. Same for randy> UUNET, ... randy> So, at POP X, I take in maybe 100 prefixes, with maybe 1000 randy> at some POPs. How do I build and maintain that filter list, The same way you build and maintain routing filter lists for the prefixes you take in. You do use routing filter lists, don't you? It should be the same list of networks. randy> and how long does it take each packet to get through it with randy> a router that also does real routing? Therein lies the argument. Do the huddled masses want things that move packets or things that make judgements on them? Difficult to have both. I don't think the world is yet able to technically support security within the infrastructure that provides transit. It needs to be at a separate layer, or on the fringe. The economies of today's customer aggregation routers do not allow a person to invest in that functionality inherent in the router. (yes, they could, but that cuts into the company's bottom line, and as there really isn't that big of an outcry or decrement in QOS of the company's IP product, why would they?) Accordingly, one must rely upon reactionary security folk to track down the attacks of bogus packets. Significant investment should be made and supported in building automated response systems and scripts. Should the USPS forbid mail with bad return addresses? -alan