BCP38 is hard; let's go shopping!

• Previous message (by thread): BCP38 is hard; let's go shopping!
• Next message (by thread): BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 5, 2014 at 4:46 PM, Jay Ashworth <jra at baylink.com> wrote:
> ----- Original Message -----
>> From: "joel jaeggli" <joelja at bogus.com>
>
>> > As I've noted, I'm not sure I believe that's true of current generation
>> > gear, and if it *is*, then it should cost manufacturers business.
>>
>> There are boxes that haven't aged out of the network yet where that's an
>> issue, some are more datacenter-centric than others. force10 e1200 was
>> one platform that had this limitation for example.
>
> So making sure manufacturers are producing gear that's BCP38-compliant,
> and buyers have it on their tick-list, is still a productive goal, too.

but, if it's a datacenter deployment there are mitigations you can
perform aside from uRPF... right?

you COULD just use a simple acl on the interface: "my local network
is..." which you could even automate.

you COULD do dhcp-snooping/mac-locking/etc and ensure that the
end-host is only using the one address(es) it's permitted to use.
(potentially harder to do on some gear)

you COULD clamp the outbound path from edge-L3 box -> code with the
right acl, since you konw what traffic should come out of the local L3
edge piece.

the answer doesn't' have to be uRPF.

• Previous message (by thread): BCP38 is hard; let's go shopping!
• Next message (by thread): BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]