We're in total agreement then. I just wanted to clarify that the
egress filtering by ISPs has to be at the end-user portions of their
networks, not (necessarily) the exits from their networks at peering
points.
David Gillett
On 10 Jun 2001, at 9:59, Paul D. Robertson wrote:
> On Sun, 10 Jun 2001 [EMAIL PROTECTED] wrote:
>
> > Egress filtering at border points is appropriate for leaf networks.
>
> Which is exactly what I'm proposing.
>
> > Many ISPs, though, also ferry third-party traffic between their
> > peering points; it would be inappropriate for them to accept traffic
> > that an egress rule elsewhere will prevent them from delivering.
>
> Egress rules don't prevent anything from being delivered if the egress is
> legitimate.
>
> > This isn't to day that it can't or shouldn't be done, only that
> > determining how much filtering should be done, and at which routers,
> > may be less simple for multi-homed ISPs than it sounds.
>
> Once again, I'm stressing that end-user network filtering be the
> major point of egress filtering, not ISP networks.
>
> ISPs can do fairly easy filtering based on prefixes they transit or
> announce, but I agree with the contention that the aggragation of traffic
> is too much at those points to not affect performance by filtering in the
> transit space. ISP's hosting networks should, of course employ egress
> filtering, but in that case, they're acting as a leaf node, not a transit
> entity.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
