an effect of ignoring BCP38

Jo Rhett jrhett at
Thu Sep 11 12:25:01 CDT 2008

On Sep 11, 2008, at 10:10 AM, Valdis.Kletnieks at wrote:
> Part of the problem is that if you're talking about the 5 biggest  
> providers,
> and the 5 biggest transit, you're talking about places with routing  
> swamps
> big enough, and with sufficient dragons in residence, that you  
> really *can't*
> do BCP38 in any sane manner.  AS1312 (us) is able to do very strict  
> BCP38
> on a per-port level on every router port, because we *know* what's  
> supposed to
> be on every subnet.  By the time you walk our list of upstreams to  
> any of
> the '5 biggest anything', you've gotten to places where our  
> multihomed status
> means you can't filter our source address very easily (or more  
> properly, where
> you can't filter multihomed sources in general).

I don't agree with this statement.  I hear this a lot, and it's not  
really true.  Being multihomed doesn't mean that your source addresses  
are likely to be random.  (or would be valid if they were)

A significant portion of our customers, and *all* of the biggest  
paying ones, are multihomed.  And they might have a lot of different  
ranges, but we know what the ranges are and filter on those.

> The MIT Spoofer project seems to indicate that closer to 50% *of the  
> edge* is
> doing sane filtering. And that's where you need to do it - *edge*  
> not *core*.

I've said much the same myself.   With the caveot that if you aren't  
doing it at the edge, you need to be doing it at the closest edge you  
can find.

Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

More information about the NANOG mailing list