an effect of ignoring BCP38

Jo Rhett jrhett at netconsonance.com
Thu Sep 11 17:25:01 UTC 2008


On Sep 11, 2008, at 10:10 AM, Valdis.Kletnieks at vt.edu wrote:
> Part of the problem is that if you're talking about the 5 biggest  
> providers,
> and the 5 biggest transit, you're talking about places with routing  
> swamps
> big enough, and with sufficient dragons in residence, that you  
> really *can't*
> do BCP38 in any sane manner.  AS1312 (us) is able to do very strict  
> BCP38
> on a per-port level on every router port, because we *know* what's  
> supposed to
> be on every subnet.  By the time you walk our list of upstreams to  
> any of
> the '5 biggest anything', you've gotten to places where our  
> multihomed status
> means you can't filter our source address very easily (or more  
> properly, where
> you can't filter multihomed sources in general).

I don't agree with this statement.  I hear this a lot, and it's not  
really true.  Being multihomed doesn't mean that your source addresses  
are likely to be random.  (or would be valid if they were)

A significant portion of our customers, and *all* of the biggest  
paying ones, are multihomed.  And they might have a lot of different  
ranges, but we know what the ranges are and filter on those.

> The MIT Spoofer project seems to indicate that closer to 50% *of the  
> edge* is
> doing sane filtering. And that's where you need to do it - *edge*  
> not *core*.


I've said much the same myself.   With the caveot that if you aren't  
doing it at the edge, you need to be doing it at the closest edge you  
can find.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness






More information about the NANOG mailing list