North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Policies: Routing a subset of another ISP's address block

  • From: Jesper Skriver
  • Date: Fri Apr 07 14:12:47 2000

On Wed, Apr 05, 2000 at 12:29:53PM -0400, Jim Duncan wrote:
> Jesper Skriver writes:
> > > I don't see the logic behind refusing the customer a request of this sort.
> > 
> > Exploding routing tables, and it makes it impossible to do anti-spoofing
> > filters ...
> It's only a problem if the ISPs expect to handle transit traffic from the
> customer.  I suspect that most multi-homed customers do _not_ intend nor
> desire to carry traffic from one provider to another over their own
> network.

No, this is not correct. Lets assume provider A has x.x.0.0/16 assigned, and
deny any traffic with a souce address within this range on all peering
(and transit) links, and lets assume, that customer Z get's provider B
to announce x.x.10.0/24 for him, this means that the customer Z cannot
reach anything on provider A's network in the case where the link to
provider A fails.

> Apologies if I've misunderstood the discussion, but with regard to
> anti-spoofing of source addresses, a multi-homed non-ISP customer on the
> edge of the network is no different from a single-homed customer: you
> filter so that all packets leaving that network meet the criteria for
> packets sourced on that customer's network.

Yes, but you also need to make sure that others cannot spoof source
addresses that you has declared to be spoofing safe (so people can trust
the source address for authentication purposes).

> Of course, the best way to implement this is for the _customers_ to 
> implement this filtering on all the interfaces of all their routers.  
> That's where there's going to be router CPU to spare, and if they did 
> that, then the ISPs wouldn't have to worry about it.


Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: Geek            @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.