On Tue, Jul 28, 2015 at 11:31 AM, Tim Hoffman <tim@hoffman.net.nz> wrote:

Reflection attack mitigation

switch ports are tied to prefixes and mac addresses so the exchange SDN switch will not accept traffic sourced from a prefix which is not supposed to be coming from this particular port, as registered on the NZIX2 portal
So you are effectively implementing uRPF strict mode? That's an interesting��decision. There are many situations where a transit provider may be used by an ASN for outbound traffic only - or for outbound traffic for all prefixes, and inbound for only certain prefixes - for either load balancing or fault mitigation. By doing this you break the ability of NZ providers to allow this. You are effectively enforcing a standard which is not used on the major transit networks in NZ.

What Tim describes above reflects what we do with our transit providers. So very interested in responses/discussions on this point in particular.

Cheers

Dave��