Request for comment -- BCP38

Stephen Satchell list at satchell.net
Sun Oct 2 16:25:50 UTC 2016


On 10/01/2016 06:39 PM, Jay R. Ashworth wrote:
> You *can* do BCP38 egress filtering on your network, but that filter
> would *be in control of the Bad Guys* whom we're trying to kill off.

I don't see how you arrive at this conclusion.  For an aggregating 
router, the Bad Guys(tm) don't get anywhere near the control plane of 
the thing.  Besides, my security training (such as it is) demands that 
one implement defence in depth.  Specifically, if the Bad Guys(tm) find 
a way around my ingress filtering, the egress filtering will bump 'em off.

Where egress filtering really makes sense is with tunnels over SSH.  I 
haven't found where I can "hook into" a SSH tunnel with Linux.  I can 
turn off shell (and do), but the inbound packets look like local 
origination to the NetFilter.  And (at this early time) The Rules(sm) 
say that you always ACCEPT packets to and from "lo".  I've learned from 
hard experience that violating that rule breaks a lot of stuff.

Then there is the web server case.  The Bad Guys(tm) have access to PHP, 
or Perl, or even a user-level shell, but again NO ACCESS TO THE CONTROL 
PLANE.  Do we really want web-generated packets to get a bye?

(I want to put BGP egress filters on my mail servers, my FTP servers, my 
time servers, my *anything* servers.  It's easy, and it means the 
defence gets as close to the source as I can get it.)

> The filtering needs to be on the other side of the administrative
> span of control fence.

No reason NOT to have filtering on BOTH sides of that fence...



More information about the NANOG mailing list