Re: [nznog] SDN APE, and IX stats from Citylink

27 Jul 2015

      It's also worth noting that of the considerable number of IXs that as13414
peers at worldwide, we've never seen someone enforce their own prefix
database, or do the BCP38 enforcement *for* the provider. IXs use RADB, and
push security from transit theft onto the ISP.

To see a New Zealand IX, whose requirements are pushing no boundaries in
terms of traffic or anything else try to re-invent the wheel in a manner
that may have considerably negative impact on the New Zealand internet is
concerning and strange at best.

On Mon, Jul 27, 2015 at 4:40 PM, Dave Mill  wrote:
...
On Tue, Jul 28, 2015 at 11:31 AM, Tim Hoffman  wrote:
...
...
- Reflection attack mitigation
      - switch ports are tied to prefixes and mac addresses so the
      exchange SDN switch will not accept traffic sourced from a prefix which is
      not supposed to be coming from this particular port, as registered on the
      NZIX2 portal
So you are effectively implementing uRPF strict mode? That's an
*interesting* decision. There are many situations where a transit
provider may be used by an ASN for outbound traffic only - or for outbound
traffic for all prefixes, and inbound for only certain prefixes - for
either load balancing or fault mitigation. By doing this you break the
ability of NZ providers to allow this. You are effectively enforcing a
standard which is not used on the major transit networks in NZ.
What Tim describes above reflects what we do with our transit providers.
So very interested in responses/discussions on this point in particular.
Cheers
Dave