Yeah, that's what I meant: ingress filter all edge connections except maybe BGP, and accept optout requests.
valdis.kletni...@vt.edu wrote: >On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said: >> ----- Original Message ----- >> > From: "Valdis Kletnieks" <valdis.kletni...@vt.edu> >> > For 5 9's worth of eyeball networks hanging off consumer-grade ADSL >and cable >> > connections, it's still the edge and still trivially filterable. If >that's a >> > problem, the ISP can upsell a business-class connection that >doesn't >> > filter. ;) >> >> C'mon guys: the edge is where people who *source and sink* packets >> connect to people who *move* packets. There may be some edges >*inside* >> carriers, but there is certainly an edge where carriers hook up >customers. > >Exactly - packets leaving Comcast's network and going to another tier >1/2, >the receiver may have a hard time figuring out if the packet is legit >or not. >But it's trivial for Comcast to tell whether the packet that just came >out >my cablemodem is consistent with what their DHCP server told my CPE. >(For the record, the last time I tried running the spoofer.sail stuff >on my home gear, it was totally unable to sneak a packet out, so at >least >part of Comcast does this right). > >And the fact that there's places where it *is* hard to deploy isn't an >excuse >for not doing it in the 98% of places where it's a slam dunk. > >> And no, this should apply to business-grade connections as much as >resi. > >Oh, I was intending *those* would be filtered by default as well, but >you >could request an opt-out if you were trying to do multi-homing on the >cheap >as some people have suggested (similar to blocking outbound 25 by >default, >unless the user actually has a mail server). -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.