It cant. One solution would be blackholing AS 456 from AS 789 at the requrest of its members. Hopefully this will teach 456 to stop misbehaving.
Though we do assume that AS wont itself misbehave and send a spoofed packet to one of its member peer and most of time its true.
We have to worry about misbehaving ISPs for which previously mentioned filtering works.
> Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.
I dont think so. IXP can force peers to provide their IP Space even if its whole internet. At least they wont be able to spoof IP outside of their space. If they do spoof ddos from their own space the above solution would probably suffice.
EDIT: I just realized peer already has to give destination ip ranges. So IXP dont have to force anyone.
Though we do assume that AS wont itself misbehave and send a spoofed packet to one of its member peer and most of time its true.
We have to worry about misbehaving ISPs for which previously mentioned filtering works.
> Netadmins can make those kinds of statements about traffic originating from with their own networks because they set the rules. But at an interconnection the types of networks connecting, and the purpose of the connection might mean there is little meaningful anti-spoofing protection that can be done.
I dont think so. IXP can force peers to provide their IP Space even if its whole internet. At least they wont be able to spoof IP outside of their space. If they do spoof ddos from their own space the above solution would probably suffice.
EDIT: I just realized peer already has to give destination ip ranges. So IXP dont have to force anyone.