large BCP38 compliance testing

• Previous message (by thread): large BCP38 compliance testing
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/10/2014 12:23, Jérôme Nicolle wrote:
> This. But let me ask you, how many transit provider actually implement
> strict prefix-filtering ? I've seen many using a max-prefix as their
> sole defense.

Plenty do and have no back-end capability to handle this, other than email 
updates.

> Now, let's consider what you want is to match an interface ACL to
> prefixes received on a BGP session runing through the same interface.
> Ain't that what uRPF-strict is all about ? What are the known downsides
> to uRPF-strict ?

Your bgp announcement to your upstream is not guaranteed to be there all 
the time.  E.g. if you're doing maintenance and stop announcing bgp to your 
upstream for inbound traffic, but still want to depend on it for outbound 
traffic, urpf will trash things.

urpf is only feasible for statically configured hand-offs.

> When buying from transits, you either update your IRR for automatic
> perfix-filter generation on your transit's side, or start by a "BGP over
> SMTP" session. While the former could generate ACLs from a template, the
> latter will be prone to human error. And still, how many of us _really_
> ensure their IRRs are always up-to-date ?

This only happens when there is a reason to do so.

> Next in line : IXPs. You never really know what routes will be available
> or has to be filtered when 800+ AS, most with customers also using BGP,
> starts talking to the same route-server. Or maybe, the route-server
> could provide a flowspec AFI to send filters AND routes simultaneously.

IXPs are more difficult, but if your IXP is running a route server, they 
should be implementing strict prefix filtering.   At least, this puts 
pressure on IXP participants to register their prefix at their local irrdb.

> Would you trust it ? Will your router have enough silicon-horse-power to
> match both IP _and_ L2 headers at line-rate ?

probably yes on most routers with dedicated hardware for this, but it will 
depend on the number of acl entries.

> BCP38 aims at spoof prevention by filtering as close to the source as
> possible. Implementation on network's edge looks to me like a tricky
> one. Sharing the load amongst CPE is the best practice, and could be
> considered a requirement enforced by transit providers. Or shouldn't it ?

urpf is appropriate for the ISP last hop.  Static filters are suitable for 
the transit provider connecting that ISP to the rest of the network.

Nick

• Previous message (by thread): large BCP38 compliance testing
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]