BCP38 making it work, solving problems

Richard A Steenbergen ras at e-gerbil.net
Mon Oct 11 23:51:19 UTC 2004


On Mon, Oct 11, 2004 at 06:03:08PM -0400, Daniel Senie wrote:
> 
> I've removed the rest of your message, talking about which vendors do or 
> don't have what capabilities. While I agree it'd be nice if more vendors 
> offered automated tools for implementing ingress filtering, such tools are 
> unnecessary in most corporate network cases, thus the lack of corporate 
> customers asking for the feature. In reality every device offering access 
> control lists capable of filtering on source IP address can and does have 
> sufficient capability to implement BCP38.
> 
> While I appreciate the desire to have a single switch solution, like was 
> possible with BCP34, it's a bit more complex to do in this case. It is, 
> however, disingenuous to say that devices don't support BCP38 because they 
> don't have an automated widget to implement it. Keep in mind that uRPF is 
> an implementation of BCP38 capability, and other implementations are 
> entirely possible.
> 
> This was probably obvious to you, but others reading might find the 
> clarification useful. 

Yes if a box has source address packet filtering capabilities you can 
filter packets by source address ("Duh"). This doesn't mean that it is 
going to be sane or easy to implement the filtering by manually 
maintaining an acl of every prefix/host on every interface where you could 
have a customer or corporate box injecting spoofed packets into the 
network. I believe there are plenty of corporate networks out there that 
are far too complex to maintain with manual ACLs, I believe the reason 
that no one cares is simply because... no one cares. :) 

If you expect people to be able to maintain these filters on any scale, 
they need tools. Certainly uRPF is a good tool to do this, and certainly 
someone could implement some others that are different, but the complete 
lack of any tool, especially on the boxes where you should be doing this 
filtering, counts as a failure in my book.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



More information about the NANOG mailing list