Request for comment -- BCP38

Mon Sep 26 15:04:05 UTC 2016

On Mon 2016-Sep-26 07:47:50 -0700, Stephen Satchell <list at satchell.net> wrote:

>On 09/26/2016 07:11 AM, Paul Ferguson wrote:
>>No -- BCP38 only prescribes filtering outbound to ensure that no
>>packets leave your network with IP source addresses which are not
>>from within your legitimate allocation.
>
>So, to beat that horse to a fare-thee-well, to be BCP38 compliant I 
>need, on every interface sending packets out to the internet, to 
>block any source address matching a subnet in the BOGON list OR not 
>matching any of my routeable network subnets?  

TBF, I would assume that you don't have routable/allocated networks within 
BOGON ranges, so just "if src in mynets permit else discard" covers both 
sets.

>Plus add null-route entries for all the BOGONs in my routing table so I 
>don't send a bad destination packet to my upstream?

I don't think that falls within the purview of BCP38 as BCP38 has to do 
with source address filtering/verification rather than destination.  If 
you're running full tables and filtering BOGONs on BGP import, though, you 
shouldn't have routes for BOGONs in your tables and with a 0/0 discard 
should be dropping them anyway, but if you're not running full tables and 
so need to "punch holes" in a static default, then explicit null-routes for 
BOGON destinations would do it.  Honestly, though: your upstream probably 
drops BOGON destinations anyway, so dropping BOGON destinations within your 
own network is just (a) good hygiene and (b) saves from your transit bill 
however may bps of BOGON-destined traffic you have.

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160926/f8e60920/attachment.sig>