BCP38 making it work, solving problems

Daniel Senie dts at senie.com
Mon Oct 11 22:03:08 UTC 2004

At 05:41 PM 10/11/2004, Richard A Steenbergen wrote:

> >On Mon, Oct 11, 2004 at 02:58:59AM +0000, Fergie (Paul Ferguson) wrote:
> >
> > It's better than a sharp stick in the eye, I'll tell ya,
> > lad.
> >
> > Listen to me: It's called a "best current practice" for a
> > reason -- people should do it. Not sit and around and endlessly
> > discuss it (we've already done that a thousand times).
> >
> > I wrote it, I stand beside it. I'm sick of hearing why people
> > haven't implemented it yet -- it's almost five years later
> > and there's simply no excuse. It's sickening.
>Tell it to the vendors of the layer 3 customer attach devices. I was just
>speaking about this with a major "up and coming layer 2/3 switch vendor"
>the other day, who had no implementation or real plans to implement uRPF
>in the immediate future. It apears that there are no enterprise customers
>asking for this feature (not a shock), despite the fact that they are
>probably a leading generator of hacked machines throwing bad packets down
>reasonably big pipes.

I've removed the rest of your message, talking about which vendors do or 
don't have what capabilities. While I agree it'd be nice if more vendors 
offered automated tools for implementing ingress filtering, such tools are 
unnecessary in most corporate network cases, thus the lack of corporate 
customers asking for the feature. In reality every device offering access 
control lists capable of filtering on source IP address can and does have 
sufficient capability to implement BCP38.

While I appreciate the desire to have a single switch solution, like was 
possible with BCP34, it's a bit more complex to do in this case. It is, 
however, disingenuous to say that devices don't support BCP38 because they 
don't have an automated widget to implement it. Keep in mind that uRPF is 
an implementation of BCP38 capability, and other implementations are 
entirely possible.

This was probably obvious to you, but others reading might find the 
clarification useful. 

More information about the NANOG mailing list