BCP38 on public-facing Ubuntu servers

• Previous message (by thread): BCP38 on public-facing Ubuntu servers
• Next message (by thread): BCP38 on public-facing Ubuntu servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe you can explore the in kernel feature call RP filter or reverse path filter. In router gear it's called uRPF.

cat /proc/sys/net/ipv4/conf/default/rp_filter

There are 2 modes: Loose or strict. 

If your server is BGP multi-homed, then you must use loose. Loose is still very powerful and useful.

Basically, RP is doing what a router does, but the opposite way. When a packet arrives on your server, it checks the routing table for destination next-hop and RP also check whether the frames arrived from the good source interface. If your routing is asymmetric or spoofed, then RP drops it.
It's a nice feature, but it's doing a double route checkup so for sure, it's slightly slower. I'm not sure we can say that it's twice slower though.

I assume your network is not asymmetric, so RP would help you for ingress traffic. For egress, then add blackholes routes to /dev/null interface or with the bogon scripts in python. I wouldn't use iptables for that as it's purely routing, but there are many ways to achieve the same goal.

I recommend to explore the rp_filter as it might do what you're looking for.

As a side note, iptables is super slow when under attack and/or under heavy load. 
There are a lot of limitations, like the kernel can only forward ~1.4 Mpps per cpu/socket with iptables. It's too slow slow in my opinion and this was still true recently, but I can't confirm with the latest 5.x kernel. It could have been fix or improve.

Finally, can you share with us which provider doesn't filter BCP38 in their uplink? #JustCurious. 😊

Jean



-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Stephen Satchell
Sent: June 2, 2021 12:41 AM
To: nanog at nanog.org; satch at ine.com
Subject: BCP38 on public-facing Ubuntu servers

Not every uplink service implements BCP38.  When putting up servers connected more-or-less directly to the Internet through these uplinks, it would be nice if the servers themselves were able to implement ingress and egress filtering according to BCP38.  (Sorry about the typo in the subject lines of my previous message -- not everyone can get a BGP feed.)

(Or, when using Ubuntu server edition to implement edge routers.)

My earlier query was asking if anyone has encoded the blackhole routes in YAML for inserting in netplan(5).  My prior message contains the routes to be blackholed.  That takes care of egress routing.

(I think I can write a Python program to take my list and convert it to the YAML that netplan(5) wants to see.  That way, the routes are inserted when the public interface is up, and removed when the public interface is down.)

Ingress routing appears to be one-line addition.  IPTABLES can be told to weed out packets with unroutable source addresses.  My experiments will add something like this line to the firewall:

# iptables -A INPUT -m addrtype -i enp1s0 --src-type BLACKHOLE -j DROP

THIS HAS NOT BEEN VERIFIED.  I'm building a web server that will integrate this idea, and try it out.

• Previous message (by thread): BCP38 on public-facing Ubuntu servers
• Next message (by thread): BCP38 on public-facing Ubuntu servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]