BCP38 adoption "incentives"?
Peter Beckman
beckman at angryox.com
Tue Sep 27 21:20:48 UTC 2016
On Tue, 27 Sep 2016, White, Andrew wrote:
> This assumes the ISP manages the customer's CPE or home router, which is
> often not the case. Adding such ACLs to the upstream device, operated by
> the ISP, is not always easy or feasible.
Which is why the manufacturer should deploy a default config which does
this. Whatever the WAN IP, and by default, and in 90%+ configurations,
there is a single WAN IP for CPE, ACLs are automatically managed to block
all outbound packets that are NOT From: the WAN IP.
And when DHCP or PPPoE gives a new IP, the rules are rewritten
automatically by the CPE with updated rules.
This won't fix the DDOS attach from IoT devices or IP Cameras or whatnot
that don't attempt to hide their IP, but it would help with spoofing at
the edge for the non-network saavy.
> It would make sense for most ISPs to have egress filtering at the edge
> (transit and peering points) to filter out packets that should not
> originate from the ISP's ASN, although this does not prevent spoofing
> between points in the ISP's network.
Multi-tiered approaches are excellent. Start with the CPE, move to your
aggs, then your big iron at the edges. Automate deployments and rule
generation.
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
More information about the NANOG
mailing list