On Sun, 10 Jun 2001 dgillett@deepforest.org wrote: > Egress filtering at border points is appropriate for leaf networks. Which is exactly what I'm proposing. > Many ISPs, though, also ferry third-party traffic between their > peering points; it would be inappropriate for them to accept traffic > that an egress rule elsewhere will prevent them from delivering. Egress rules don't prevent anything from being delivered if the egress is legitimate. > This isn't to day that it can't or shouldn't be done, only that > determining how much filtering should be done, and at which routers, > may be less simple for multi-homed ISPs than it sounds. Once again, I'm stressing that end-user network filtering be the major point of egress filtering, not ISP networks. ISPs can do fairly easy filtering based on prefixes they transit or announce, but I agree with the contention that the aggragation of traffic is too much at those points to not affect performance by filtering in the transit space. ISP's hosting networks should, of course employ egress filtering, but in that case, they're acting as a leaf node, not a transit entity. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]