BCP38 is hard, was TWC (AS11351) blocking all NTP?

Saku Ytti saku at ytti.fi
Wed Feb 5 08:35:07 UTC 2014


On (2014-02-05 00:29 -0000), John Levine wrote:
> >Why does it have to be hard? Restricting the filter to addresses which
> >(A) the customer asserts are theirs 
> 
> How does the customer do that in a way that scales?
> 
> I don't think any of this is rocket science, but it apparently is a
> real block to BCP38/84 implementatin.

Transit provider can do ACL, in some platforms it can be 100% same object as
used for BGP. Then setup ultimate rule to allow and log.
Then cooperate with customer to weed through the unexpected, until none remain
and flip the allow to deny.

But I guess no one is saying it cannot be done, more that there is no pay-off
in it. Transit provider is compensated for bits transferred, spending money to
receive less money may not appeal to people in charge.

You also wrote:

>>I was at a conference with people from some Very Large ISPs.  They
>>told me that many of their large customers absolutely will not let
>>them do BCP38 filtering.  ("If you don't want our business, we can
>>find someone else who does.")  The usual problem is that they have PA
>>space from two providers and for various reasons, not all of which are
>>stupid, traffic with provider A's addresses sometimes goes out through
>>provider B.  Adding to the excitement, some of these customers are
>>medium sized ISPs with multihomed customers of their own.

Someone who worked for such ISP, told they don't accept BCP38, because their
business is to sell services to instances who want to spoof for what ever
reason. The official reasons told to upstreams are different. He didn't
appreciate the business and no longer works for said ISP.
If what you say was actual reason, it could be solved by logging ACL.

We the community, could produce tooling to automate this in few popular
platforms. Automatically builds the ACL, web interface for humans to classify
the logged/unknown. When classified by human as legit source, automatically
create route object for it.
Recreate ACL from route-objects, submit to router. 

Repeat until human operator is confident no further classification is needed,
and ask tool to swap log+permit + deny.

Probably takes like maybe 50h development work.

-- 
  ++ytti, not it



More information about the NANOG mailing list