[lir-wg] AS Number Policy

On Thu, 11 Jul 2002 15:07:23 +0200, Gert Doering <gert at space.net> wrote:
>On Thu, Jul 11, 2002 at 11:23:59AM +0000, Christopher Sharp wrote:
>> The argument I normally hear is that people want to be lenient to customers but
>> tough on outsiders.  Hence bogon filters invariably get placed on ingress
>> peering points rather than customer interfaces of which there are far more.
>
>Crappy argument.   You can't do reverse path filtering on peering points
>(after all, most of the world's IP range is "outside").
>
>The *only* thing that works is strict anti-spoofing filters on all 
>customer lines.

We all know that it's a crappy argument, but lots of people try using it.
Especially those who have large legacy implementations that either don't have or
don't support filters on customer lines.

Over the years I have seen a lot of providers who let their customers advertise
whatever they want into their internal route tables.  I've seen customers of
"tier-1" providers with multiple circuits routing RFC1918 space between their
offices, across 1000s of miles over the providers cloud.  Sure it's caught by
egress filters on the ISPs borders (in most cases) and most ISPs filter their
new customer interfaces, but there are plenty of legacy configurations out there
that the older players are frightened to break.

Bogon filtering at ingress points is something that people are doing.  There
might be plenty of other things they should be doing, but many people aren't.
In my experience customer line filters (where they exist) are rarely updated,
whilst ingress bogon filters on peering connections are well maintained.  If you
want to encourage people to add filters and maintain them responsibly then this
is the best place for them.

Filtering these renegade addresses should only be a last resort.  It will make
re-allocation of them a lot harder.  The threat of such filters would be an
excellent incentive for people to return ASNs and address space when requested
though.

C.