On 10/26/2012 3:15 PM, [email protected] wrote: > paul vixie <[email protected]> wrote on 10/26/2012 10:32:57 AM: > >> ... they are following the 'chemical polluter business model' where the >> money is made "here" and the impact is only felt "over there". > I'm not an internet routing guru, so I must not be seeing something. When > my organization connects to an upstream provider, they know we have a > block of addresses assigned (Actually, we have more than one). They know > that we connect to their switch in rack X, switch Y, port Z. > > If they see a packet with a source address of 8.8.8.8 appearing on that > port, what possible reason could they have for allowing it through?
the cost of finding out from you which source ip address ranges are valid for your interface, programming their routing equipment, dealing with the error rate inevitable in all human-related systems, and auditing all of this is measurably non-zero. this is what experienced providers call a 'one-off'. to the extent that they can make your interface with what many providers call a 'cookie cutter' -- that is, all alike -- they will spend measurably less money delivering their service to you. > ... > > I looked at BCP84/RFC3704, but as a non-networking person, it was brushing > the bald-spot. the non-networking person version (sometimes called the 'pointy haired boss version') is called 'SAC004' and was written by me ten years ago (october 2002): <http://archive.icann.org/en/committees/security/sac004.txt>. > I know this is drifting from the list topic, so thank you for the > indulgence. source address validation is very important to dns operations; i don't consider this thread off-topic. paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
