On Wed, Mar 27, 2013 at 11:02 AM, Jack Bates <jba...@brightok.net> wrote: > It's also not a bad idea for an ISP to deploy EGRESS filters if they do not > offer BGP Transit services.
Nor is it a bad idea for their upstream to inquire as to whether the downstream offers BGP transit services and apply INGRESS filters if they do not. > This way they are not depending on their transit > providers to handle spoof protection and they cover their entire network > regardless of last mile ingress filtering. This doesn't generally work well > when doing transit services of any size due to the number of egress filter > updates you'd have to issue, but it is great for the small/medium ISP. Build a web page where a downstream can set the filters on his interface at his convenience. Apply some basic sanity checks against wide-open. Worry about small lies from a forensic after-the-fact perspective. This problem has a trivial technology-only solution. Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
