Are you talking BGP level customers or individual small businesses' broadband service?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "John Levine" <jo...@iecc.com> To: nanog@nanog.org Sent: Monday, September 26, 2016 11:04:33 AM Subject: Re: Request for comment -- BCP38 >If you have links from both ISP A and ISP B and decide to send traffic out >ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* >drop that traffic on the floor. There is no automated or scalable way for >ISP A to distinguish this "legitimate" use from spoofing; unless you >consider it scalable for ISP A to maintain thousands if not more >"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases >of customers X, Y, and Z sourcing traffic into ISP A's network using IPs >allocated to them by other ISPs? I gather the usual customer response to this is "if you don't want our $50K/mo, I'm sure we can find another ISP who does." >From the conversations I've had with ISPs, the inability to manage legitimate traffic from dual homed customer networks is the most significant bar to widespread BCP38. I realize there's no way to do it automatically now, but it doesn't seem like total rocket science to come up with some way for providers to pass down a signed object to the customer routers that the routers can then pass back up to the customer's other providers. R's, John PS: "Illegitimate" is not a synonym for inconvenient, or hard to handle.
