Re: [apnic-talk] NICs and Egress filtering?
On Wed, Jan 10, 2001 at 10:41:26AM +1030, Phil Crooker wrote:
> Geoff Huston wrote:
> >
> > "How would they enforce them?"
> >
> > Good question Joe, and one which I've also thought about without getting
> > to any sensible conclusion myself.
I can see clear and straightforward avenues if an APNIC member, say,
misbehaves and acts contrary to the policies of APNIC; after all,
that's why the membership agreement is a binding contract that
members are obliged to sign. For members, there is always the unspoken
threat that future resource delegations might be declined due to
misbehaviour.
However, the registry has no stick to wield against a miscreant
who is not a member. In practical terms, there is precisely
nothing that the registry can do to change the behaviour of a
rogue operator directly. The best avenue I can think of is lobbying
the membership (and the community in general) to police the rules on
the registry's behalf.
> > Egress filter would ensure that traffic used source addresses consistent
> > with routing advertisements (RFC 2827) right?
> >
> > But surely this would also require that the routing system itself has some
> > level of trustable integrity. The issue in my mind is: how is the integrity
> > of the routing system managed?
There are lots of unidirectional-return wireless operators who would
be off the air if everybody blocked traffic like that. And while
pmtud is widely misused, and tunnelling is, in consequence,
problematic, what other options do those operators have?
> >From the end user's viewpoint it appears things work because users
> complain when they go wrong.
That's true a lot of the time, I think. Many ISPs' primary network
surveillance tool is the helpdesk phone. If it's not ringing,
the network must be up.
Joe
* APNIC-TALK: General APNIC Discussion List *
* To unsubscribe: send "unsubscribe" to apnic-talk-request at apnic dot net *