[Update] Re: New ISP to market, BCP 38, and new tactics

Steve Bertrand steve at ibctech.ca
Tue Feb 3 19:33:23 CST 2009


For all the kind folk who have been asking how my project is going, I'll
summarize here.

- I've enabled strict uRPF filtering on all interfaces that I am certain
what the source will be.

- I've implemented a mix of loose uRPF combined with ACL's on interfaces
that I know have multi-homed clients

- On all interfaces that run the risk of blocking traffic by accident,
I've implemented strict inbound ACL's for known-bad (combined always
with Team Cymru BGP learnt bogons), and with logging counter ACLs for
all other traffic. After a couple more days, I should be able to focus
more strictly on these interfaces

- I've made significant changes to my 'core', moving from static routes
to an iBGP mesh over OSPF learnt loopbacks. This will allow me to
implement a couple of host-based routing daemon boxes for the easy
insertion of sinkhole routes in the event of significantly bad
behaviour. With my scripting knowledge, preparing a recommended sinkhole
route for insertion, ready for admin approval will be easy, and so will
having the route removed automatically (or manually) if the attack has
ceased. I like the idea of traffic flowing to a host-based machine to
null as opposed to null'ing it on the router, as (from what I can tell)
it will make it easier to track the flow of the problem ingress and egress

- Currently, (as I write), I'm migrating my entire core from IPv4 to
IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up
now to see how things will flow with all iBGP v4 routes being
advertised/routed over v6.

The division of the v6 space still overwhelms me, so I guess I'll do
what someone else stated in another thread if I mess this one up: go to
ARIN for another 1000 /32's :)

(no, I'll learn from my mistake, and be ready for next one)

Cheers, and thanks!

Steve




More information about the NANOG mailing list