Request for comment -- BCP38
Stephen Satchell
list at satchell.net
Sun Oct 2 16:25:50 UTC 2016
On 10/01/2016 06:39 PM, Jay R. Ashworth wrote:
> You *can* do BCP38 egress filtering on your network, but that filter
> would *be in control of the Bad Guys* whom we're trying to kill off.
I don't see how you arrive at this conclusion. For an aggregating
router, the Bad Guys(tm) don't get anywhere near the control plane of
the thing. Besides, my security training (such as it is) demands that
one implement defence in depth. Specifically, if the Bad Guys(tm) find
a way around my ingress filtering, the egress filtering will bump 'em off.
Where egress filtering really makes sense is with tunnels over SSH. I
haven't found where I can "hook into" a SSH tunnel with Linux. I can
turn off shell (and do), but the inbound packets look like local
origination to the NetFilter. And (at this early time) The Rules(sm)
say that you always ACCEPT packets to and from "lo". I've learned from
hard experience that violating that rule breaks a lot of stuff.
Then there is the web server case. The Bad Guys(tm) have access to PHP,
or Perl, or even a user-level shell, but again NO ACCESS TO THE CONTROL
PLANE. Do we really want web-generated packets to get a bye?
(I want to put BGP egress filters on my mail servers, my FTP servers, my
time servers, my *anything* servers. It's easy, and it means the
defence gets as close to the source as I can get it.)
> The filtering needs to be on the other side of the administrative
> span of control fence.
No reason NOT to have filtering on BOTH sides of that fence...
More information about the NANOG
mailing list