On Tue, Jun 6, 2017 at 2:25 AM, Hank Nussbacher <h...@efes.iucc.ac.il> wrote: (I think this is really Ron and Bill chatting, but some of the linkage got lost on the tubes)
> > > > I've read article after article after article bemoanging the fact that > >> "BGP isn't secure", > > > > They're talking about a different problem: ISPs are supposed to configure > > end-user BGP sessions per BCP38 which limits which BGP announcements the > > customer can make. Some ISPs are sloppy and incompetent and don't do > this. > > Unfortunately, once you're a level or two upstream the backbone ISP > > actually can't do much to limit the BGP announcements because it's often > > impractical to determine whether a block of IP addresses can legitimately > > be announced from a given peer. > just a clarifying note: I don't think bcp38 talks about BGP at all, actually... I think bill is actually saying: "ISPs are supposed to configure bcp38 to filter TRAFFIC from their customers/peers and BGP filters to limit the scope of the customer routes sent/received" I don't think the filtering of customer prefixes/announcements is actually covered in a BCP though.
