(6bone) Ingress filtering (was: asymmetric routing)

[Michel Py]

Dave,

> Dave Wilson wrote:
> I think the harm caused by sloppy aggregation of address space
> is clear.
> I think the harm caused by inadequate filtering of source
> addresses is also clear.

Concur.

> These are separate considerations, however. Forwarding traffic
> with a source address that is not your own, for good or ill,
> doesn't harm the routing table in the same way that unaggregated
> advertisements do, and so it seems to me it's entirely compatible
> with (or agnostic of) the principle of strict aggregation.

Concur also.

> In fact, if an ISP has to advertise an address block just to
> be allowed source traffic from it, that is a big incentive to
> clutter the routing table.

Concur again.

> If the customer has legitimate reason for sending alien traffic
> (i.e. the space has been allocated to the customer by another
> ISP), I see no reason why the ISP can't choose to allow it.

Can we enumerate the legitimate reasons for sending (accepting I
think would be more appropriate) alien IPv6 PA traffic? In my mind,
there are not any, and multihoming is NOT a legitimate reason. It's
not like it is a bad idea, but requirering ISPs to transport the
traffic of their competitors is not going to fly, no way.

Imagine the following scenario:
You are a multihomed content provider. You have two ISPs, X and Y.
You have two PA prefixes, PX and PY. A dial-up customer queries
your server using its PX address. The return traffic (src=PX,
dest=cust) could, indeed, go out through ISP Y.

What is wrong with that: ISP Y is going to scream that it
transports ISP X' (its direct competitor) traffic for free. The
return traffic, from the multihomed content provider to Joe
customer, is the bulk of the bandwidth as of today.

This is more about ingress filtering than about assymetric traffic.
I am not saying that assymetric traffic is bad (I am sure that many
of us could live without it, though). I think that a by-product of
the strong aggregation of IPv6 prefixes will be a lot more
symmetric traffic patterns.

The point I am trying to make is: unless you can give me a
legitimate reason why ISP Y should accept ISP X' PA prefix PX as
the source, there is no reason NOT to have access-lists that deny
customer's traffic that has a source address that not belong to the
ISP's PA address space and is not a PI address. There are no IPv6
PI addresses as of today. Please prove me wrong.

> We get asymmetric traffic all the time in the default free zone,
> since we're all allowed to choose localprefs independently of
> each other. It's no big deal.

Assymetric for PI addresses, yes. Alien AP trafic coming from one
of your own customers, another kind of animal.

> Where a site chooses to allow a customer route traffic
> asymmetrically, and otherwise implements RFC2827, I don't
> understand the harm in allowing a multihoming solution based on
> this. My instinct says that we'd lose a whole swathe of
> potential solutions for arguably little benefit.

The main harm is to the perceived revenue loss transporting other
provider's traffic for free. A little bird has told me that most
ISPs perceive it very strongly.

Michel.