Hi Alejandro,
Also inline.
On Sat, Mar 30, 2013 at 10:17 PM, Alejandro Acosta
alejandroacostaal...@gmail.com wrote:
Hi William,
Thanks for your response, my comments below:
On 3/30/13, William Herrin b...@herrin.us wrote:
On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta
On (2013-03-29 13:31 +0100), Tore Anderson wrote:
I've had some problems with my upstream providers' ingress filtering,
for example:
That sounds like uRPF, which you should not run towards your transit
customers.
I'm talking only about using ACL. And I stand-by that I've never had to fix
Quite a number of people have responded to this post.
But no one's actually addressed my key question:
- Original Message -
From: Jay Ashworth j...@baylink.com
In the current BCP38/DDoS discussions, I've seen a lot of people suggesting
that it's practical to do ingress filtering at
On (2013-03-30 11:39 -0400), Jay Ashworth wrote:
But there's no way for an upstream transit carrier to know that *at the
present
time*.
We expect our customers to mark any customers they have in their AS-SET.
And we filter BGP announcements and we ACL traffic based on that.
I know mandating
Hi William,
Thanks for your response, my comments below:
On 3/30/13, William Herrin b...@herrin.us wrote:
On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta
alejandroacostaal...@gmail.com wrote:
On 3/29/13, Patrick na...@haller.ws wrote:
On 2013-03-29 14:49, William Herrin wrote:
I've long
* Saku Ytti
Question is, is it reasonable to expect customer to know what
networks they have. If yes, then you can ask them to create route
objects and then you can BGP prefix-filter and ACL on them. I do
both, and it has never been problem to my customers (enterprises,
CDNs, eyeballs).
On Fri, Mar 29, 2013 at 8:31 AM, Tore Anderson t...@fud.no wrote:
I've had some problems with my upstream providers' ingress filtering,
for example:
- Traffic sourced from a prefix announced as a more-specific route at
transit connection in location A got filtered on a transit connection in
On 2013-03-29 14:49, William Herrin wrote:
I've long thought router vendors should introduce a configuration
option to specify the IP address from which ICMP errors are emitted
rather than taking the interface address from which the packet causing
the error was received.
Concur. An 'ip(v6)?
Hi,
On 3/29/13, Patrick na...@haller.ws wrote:
On 2013-03-29 14:49, William Herrin wrote:
I've long thought router vendors should introduce a configuration
option to specify the IP address from which ICMP errors are emitted
rather than taking the interface address from which the packet
On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta
alejandroacostaal...@gmail.com wrote:
On 3/29/13, Patrick na...@haller.ws wrote:
On 2013-03-29 14:49, William Herrin wrote:
I've long thought router vendors should introduce a configuration
option to specify the IP address from which ICMP
In the current BCP38/DDoS discussions, I've seen a lot of people suggesting
that it's practical to do ingress filtering at places other than the edge.
My understanding has always been different from that, based on the idea
that the carrier to which a customer connects is the only one with which
is there a clear understanding of the edge in the network operations
community? in a simpler world, it was not that difficult, but interconnect
has blossomed and grown all sorts of noodly appendages/extentions. I fear
that edge does not mean what you think it means anymore.
/bill
On Thu,
On Thu, 28 Mar 2013 17:16:48 -, bmann...@vacation.karoshi.com said:
is there a clear understanding of the edge in the network operations
community? in a simpler world, it was not that difficult, but interconnect
has blossomed and grown all sorts of noodly appendages/extentions. I fear
On Thu, Mar 28, 2013 at 1:07 PM, Jay Ashworth j...@baylink.com wrote:
My understanding has always been different from that, based on the idea
that the carrier to which a customer connects is the only one with which
that end-site has a business relationship, and therefore (frex), the only
one
On Thu, Mar 28, 2013 at 01:47:45PM -0400, valdis.kletni...@vt.edu wrote:
On Thu, 28 Mar 2013 17:16:48 -, bmann...@vacation.karoshi.com said:
is there a clear understanding of the edge in the network operations
community? in a simpler world, it was not that difficult, but interconnect
On (2013-03-28 13:07 -0400), Jay Ashworth wrote:
The edge carrier's *upstream* is not going to know that it's reasonable
for their customer -- the end-site's carrier -- to be originating traffic
with those source addresses, and if they ingress filter based on the
prefixes they route down to
- Original Message -
From: Valdis Kletnieks valdis.kletni...@vt.edu
On Thu, 28 Mar 2013 17:16:48 -, bmann...@vacation.karoshi.com
said:
is there a clear understanding of the edge in the network operations
community? in a simpler world, it was not that difficult, but
- Original Message -
From: William Herrin b...@herrin.us
So, you represent to your ISP that you're authorized to use a certain
range of addresses. He represents to his upstream that he's authorized
to use them on your behalf, and so on.
The former is a first-hand transaction: if
On Thu, Mar 28, 2013 at 12:27 PM, Jay Ashworth j...@baylink.com wrote:
- Original Message -
From: William Herrin b...@herrin.us
So, you represent to your ISP that you're authorized to use a certain
range of addresses. He represents to his upstream that he's authorized
to use them on
- Original Message -
From: Saku Ytti s...@ytti.fi
On (2013-03-28 13:07 -0400), Jay Ashworth wrote:
The edge carrier's *upstream* is not going to know that it's reasonable
for their customer -- the end-site's carrier -- to be originating traffic
with those source addresses, and
- Original Message -
From: Paul Ferguson fergdawgs...@gmail.com
The former is a first-hand transaction: if you're lying to your edge
carrier, he can cut you off with no collateral damage.
Of course, he has to notice it first. :-)
Sure.
ObOpinion: It's best to *enforce* a
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
- Original Message -
From: Valdis Kletnieks valdis.kletni...@vt.edu
For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and
cable
connections, it's still the edge and still trivially filterable. If that's a
Yeah, that's what I meant: ingress filter all edge connections except maybe
BGP, and accept optout requests.
valdis.kletni...@vt.edu wrote:
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
- Original Message -
From: Valdis Kletnieks valdis.kletni...@vt.edu
For 5 9's worth of
On (2013-03-28 15:47 -0400), Jay Ashworth wrote:
You can't do it at top-level nor it's not practical to hope that some
day BCP38 is done in reasonably many last-mile port.
I don't know that that's true, actually; unicast-rpf does, as I understand
it, most of the work, and is in most of
Saku,
all these 100s of millions of ports configured correctly does not strike as
practical goal.
It is practical, IMO, similar to configuring IP address/prefix (or QoS
policies) on every port.
In fact, what makes it easier is that uRPF can be part of the template that can
be universally
On (2013-03-28 23:45 +), Rajiv Asati (rajiva) wrote:
In fact, what makes it easier is that uRPF can be part of the template that
can be universally applied to every edge port.
There is incredible amount of L3 interfaces in the last mile, old ghetto
stuff, latest gen Cisco, which does not
On 3/28/2013 7:49 PM, Saku Ytti wrote:
On (2013-03-28 23:45 +), Rajiv Asati (rajiva) wrote:
In fact, what makes it easier is that uRPF can be part of the template that
can be universally applied to every edge port.
There is incredible amount of L3 interfaces in the last mile, old ghetto
On 3/28/13, Jay Ashworth j...@baylink.com wrote:
My understanding has always been different from that, based on the idea
that the carrier to which a customer connects is the only one with which
that end-site has a business relationship, and therefore (frex), the only
one whom that end-site
On Thu, 28 Mar 2013, Jay Ashworth wrote:
C'mon guys: the edge is where people who *source and sink* packets
connect to people who *move* packets. There may be some edges *inside*
carriers, but there is certainly an edge where carriers hook up customers.
And no, this should apply to
See below
Jared Mauch
On Mar 28, 2013, at 5:04 PM, Jimmy Hess mysi...@gmail.com wrote:
Ingress source addresses should optimally ideally be filtered at
turnup to the list of authorized prefixes, if uRPF cannot be
implemented (uRPF is convenient, but not necessarily necessary to
implement
On Thu, 28 Mar 2013, Jon Lewis wrote:
It's time for people to stop passing the buck on BCP38 (we don't do it,
because it really ought to be done at that other level) and start
implementing it where possible.
An economic factor will be required for BCP38 to be effective.
It will have to cost
31 matches
Mail list logo