Re: [nznog] SDN APE, and IX stats from Citylink

On 27 Jul 2015, at 23:21, Todd Dickason wrote:

• Implement IETF BCP38 • Instead of relying on peers to implement BCP38, NZIX2 enforces it by only allowing traffic sourced from a prefix which has been registered on the NZIX2 portal to enter the exchange

This is super interesting stuff. We have a clear direction from our members that they do NOT want us to do this (actually, any filtering - and with good — non technical — reasons) in London and Leeds but I find innovation to protect the internet by preventing attacks sourced from networks too delinquent and unintelligent to filter their access customers very interesting. Why registering on a portal rather than looking at the prefixes offered to the exchange via a collector ?

On 28 Jul 2015, at 00:31, Tim Hoffman wrote:

So you are going to require peers to register on your portal, rather than using RADB which is the industry standard solution for exactly this problem? Why?

RADB used for prefix-lists that filter whether a BGP advertisement reaches RIB rather than at a packet (layer 3 forwarding) layer. It’s unpoliced so can not protect against malicious attack but does prevent from most accidents. You could incorporate RADB by using it to build prefix-lists on the collector and then building layer 2-3 forwarding ACLS on the switches based on the prefixes imported into the collector’s RIB. Very very very interesting indeed ! Andy Davidson (Director at LONAP and IXLeeds in the UK; and of the European Internet Exchange Association; and a council member at NapAfrica)