On 04/02/14 14:18, John Levine wrote:
I was at a conference with people from some Very Large ISPs. They
told me that many of their large customers absolutely will not let
them do BCP38 filtering. ("If you don't want our business, we can
find someone else who does.") The usual problem is that they have PA
space from two providers and for various reasons, not all of which
are stupid, traffic with provider A's addresses sometimes goes out
through provider B. Adding to the excitement, some of these
customers are medium sized ISPs with multihomed customers of their
own.
I haven't read it all, but section 3 says:
However, by restricting transit traffic which originates from a
downstream network to known, and intentionally advertised,
prefix(es), the problem of source address spoofing can be virtually
eliminated in this attack scenario.
If ISP has customer A with multiple *known* valid networks --doesn't
matter if ISP allocated them to customer or not-- and ISP lets them all
out, but filters everything else, ISP is still complying with BCP 38.
Here it's not a matter of blocking "just because". It's blocking unknown
addresses. It doesn't either mean that ISP should not open the filters
if a new prefix is requested by the customer.
