an effect of ignoring BCP38

Pekka Savola pekkas at netcore.fi
Thu Sep 11 02:59:50 CDT 2008


On Thu, 11 Sep 2008, Jo Rhett wrote:
> I've been in, near, or directly in touch with enough big provider NOCs in the 
> last year on various DoS attach research issues, and nearly nobody... that's 
> right NONE of them were using BCP38 consistently.  Name the five biggest 
> providers you can think of.  They ain't doing it.   Now name the five best 
> transit providers you can think of.  They ain't doing it either.  (note that 
> all of these claimed to be doing so in that survey, but during attack 
> research they admitted that it was only in small deployments)
>
> If someone told me (truthfully) that there was 10% BCP38 compliance out 
> there, I'd be surprised given what I have observed.

A problem I have with these discussions is that everyone has their own 
idea what "BCP38" implies.  Others say their loose-mode uRPF setups 
are "BCP38".  Others are using strict uRPF or similar (e.g. acls). 
Some think that Tier1 transit operators should apply one of the 
options above to their tier2 customers.  Others think it should just 
be applied at the site-edges.  Some don't consider spoofing protection 
at LAN interface level at all, others call that also BCP38.  Etc.

Your note above seems to imply that you would expect the five best 
transit providers you think of to apply BCP38 (strict?) to their 
customers.  Even if the customer is a major ISP?  (However, if your 
argument is about a smallish end-site, I'd agree spoofing protection 
should be applied there.)

FWIW, I've tested what would happen if I were to enable strict-mode 
(feasible paths) uRPF on an Internet exchange (all peerings).  If I 
recall correctly, the amount of dropped packets would have been in the 
order of 1%.  We decided not to do it.  Maybe those "five biggest 
providers you can think of" have similar experiences with their 
biggest customers?

Loose mode URPF is seems (IMHO) pretty much waste of time and is 
confusing the discussion about real spoofing protection.  The added 
protection compared to ACLs that drop private and possibly bogons is 
not that big and it causes transient losses when the routing tables 
are changing.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings




More information about the NANOG mailing list