----- Original Message ----- > From: "Laszlo Hanyecz" <las...@heliacal.net>
>> If you have links from both ISP A and ISP B and decide to send traffic >> out ISP A's link sourced from addresses ISP B allocated to you, ISP A >> *should* drop that traffic on the floor. There is no automated or >> scalable way for ISP A to distinguish this "legitimate" use from >> spoofing; unless you consider it scalable for ISP A to maintain >> thousands if not more "exception" ACLs to uRPF and BCP38 egress >> filters to cover all of the cases of customers X, Y, and Z sourcing >> traffic into ISP A's network using IPs allocated to them by other ISPs? > > This is a legitimate and interesting use case that is broken by BCP38. > The effectiveness of BCP38 at reducing abuse is dubious, but the > benefits of asymmetric routing are well understood. Why should everyone > have to go out of their way to break this.. it works fine if you just > don't mess with it. Let me see if I have your argument straight: In order to enable an "interesting" use case that is used by maybe well under 1% of end nodes not in PI address space, we should decide *not* to do something which makes it much easier to protect attack targets against well over 75% of incoming attacks of ridiculous (>OC-12) bandwidth? Is that what you're advocating? No. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274