I'm not saying UUNet should install whatever filters I want on their
routers. I'm just saying the net would be a MUCH nicer place if NSP's all
did ingress filtering on their customer connections. If current routers
can't handle the load this would create, then NSP's need to find vendors
willing to deliver the necessary power, or they need to rethink the way
they design their networks.
Most of my customers have customers who in turn have
customers, not a few of whom are multi-homed. Same for
UUNET, ...
So, at POP X, I take in maybe 100 prefixes, with maybe 1000
at some POPs. How do I build and maintain that filter list,
The same way you build and maintain routing filter lists for the
prefixes you take in.
You do use routing filter lists, don't you?
It should be the same list of networks.
and how long does it take each packet to get through it with
a router that also does real routing?
Therein lies the argument.
Do the huddled masses want things that move packets or things that make
judgements on them? Difficult to have both.
I don't think the world is yet able to technically support security
within the infrastructure that provides transit. It needs to be
at a separate layer, or on the fringe.
The economies of today's customer aggregation routers do not
allow a person to invest in that functionality inherent in the
router. (yes, they could, but that cuts into the company's bottom
line, and as there really isn't that big of an outcry or decrement
in QOS of the company's IP product, why would they?)
Accordingly, one must rely upon reactionary security folk to track
down the attacks of bogus packets. Significant investment should be
made and supported in building automated response systems and scripts.
Should the USPS forbid mail with bad return addresses?
-alan