On Fri, 8 Jun 2001, Young, Beth A. wrote: > OK, enough rambling but I don't see that a public ISP will be any different > than this state run ISP. The end users are responsible for their actions. > As a state entity, we have a slight advantage in that we can do end user > education on a regular basis but that doesn't seem to make a difference.... You wouldn't accept BGP routes from them advertising entities outside of their scope of responsibility, accepting sourced traffic under the same provisions isn't a big leap. You wouldn't let them put in CSU/DSUs that locked the one at your end of the circuit, allowing them to connect routers that don't protect your backbone isn't a big leap. There is absolutely no legitimate reason for any ISP to let a customer generate packets sourced from anything other than (a) their address space or (b) a multicast group. Connectivity requirements are fairly easy- just like not accepting IPX or AT from the customer is pretty easy. Service providers could *easily* mandate this for connectivity. I'd be willing to try to dig up the code to re-spin up our anti-spoofing test tool if we could get the bulk of providers to mandate this as a connectivity requirement- then providers could get customers to prove they'd filtered correctly. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]