Request for comment -- BCP38

Florian Weimer fw at deneb.enyo.de
Sun Oct 2 12:59:16 UTC 2016


* Jay R. Ashworth:

> ----- Original Message -----
>> From: "Florian Weimer" <fw at deneb.enyo.de>
>
>> * Jason Iannone:
>
>>> Are urpf and bcp38 interchangeable terms in this discussion?  It seems
>>> impractical and operationally risky to implement two unique ways to dos
>>> customers.  What are the lessons learned by operators doing static output
>>> filters, strict urpf, or loose/feasible urpf?
>> 
>> Historically (in 1998, when RFC 2267 was released), BCP 38 was an
>> egress filter applied at the AS boundary.
>
> You meant ingress, no?

It's a bit murky.  Section 4 suggests that it's not possible to apply
ingress filters on dialup access concnetrators.

> The control of the address space allocation resides with the upstream,
> as must control of the filtering.

That's not really true for customers who maintain their own routes and
IP assignments/allocations.

> You *can* do BCP38 egress filtering on your network, but that filter
> would *be in control of the Bad Guys* whom we're trying to kill off.

If you can't do ingress filtering (e.g. you do not give customers
dedicated physical ports, or the equipment does not allow tying ports
to specific IP addresses), egress filtering is surely better than
nothing at all.

In theory, it would not matter because the other side should have a
matching ingress filter.  In practice, egress filtering would make a
significant difference in traceability of attacks.  Any additional
filtering would do so.

Again, the goal should not be to deploy specific techonology in a
certain way, but to reduce spoofing and attacks which cannot be traced
back to the packet sources.


More information about the NANOG mailing list