It's also worth noting that of the considerable number of IXs that as13414 peers at worldwide, we've never seen someone enforce their own prefix database, or do the BCP38 enforcement *for* the provider. IXs use RADB, and push security from transit theft onto the ISP.

To see a New Zealand IX, whose requirements are pushing no boundaries in terms of traffic or anything else try to re-invent the wheel in a manner that may have considerably negative impact on the New Zealand internet is concerning and strange at best.

On Mon, Jul 27, 2015 at 4:40 PM, Dave Mill <davemill@gmail.com> wrote:

On Tue, Jul 28, 2015 at 11:31 AM, Tim Hoffman <tim@hoffman.net.nz> wrote:
Reflection attack mitigation

switch ports are tied to prefixes and mac addresses so the exchange SDN switch will not accept traffic sourced from a prefix which is not supposed to be coming from this particular port, as registered on the NZIX2 portal
So you are effectively implementing uRPF strict mode? That's an interesting��decision. There are many situations where a transit provider may be used by an ASN for outbound traffic only - or for outbound traffic for all prefixes, and inbound for only certain prefixes - for either load balancing or fault mitigation. By doing this you break the ability of NZ providers to allow this. You are effectively enforcing a standard which is not used on the major transit networks in NZ.

What Tim describes above reflects what we do with our transit providers. So very interested in responses/discussions on this point in particular.

Cheers
Dave��