BCP38 adoption "incentives"?

Peter Beckman beckman at angryox.com
Tue Sep 27 21:20:48 UTC 2016

On Tue, 27 Sep 2016, White, Andrew wrote:

> This assumes the ISP manages the customer's CPE or home router, which is
> often not the case. Adding such ACLs to the upstream device, operated by
> the ISP, is not always easy or feasible.

  Which is why the manufacturer should deploy a default config which does
  this. Whatever the WAN IP, and by default, and in 90%+ configurations,
  there is a single WAN IP for CPE, ACLs are automatically managed to block
  all outbound packets that are NOT From: the WAN IP.

  And when DHCP or PPPoE gives a new IP, the rules are rewritten
  automatically by the CPE with updated rules.

  This won't fix the DDOS attach from IoT devices or IP Cameras or whatnot
  that don't attempt to hide their IP, but it would help with spoofing at
  the edge for the non-network saavy.

> It would make sense for most ISPs to have egress filtering at the edge
> (transit and peering points) to filter out packets that should not
> originate from the ISP's ASN, although this does not prevent spoofing
> between points in the ISP's network.

  Multi-tiered approaches are excellent. Start with the CPE, move to your
  aggs, then your big iron at the edges. Automate deployments and rule

Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/

More information about the NANOG mailing list