BCP38 on public-facing Ubuntu servers

• Previous message (by thread): View NANOG 82 Agenda + Your Voice Heard + Expo
• Next message (by thread): BCP38 on public-facing Ubuntu servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Not every uplink service implements BCP38.  When putting up servers 
connected more-or-less directly to the Internet through these uplinks, 
it would be nice if the servers themselves were able to implement 
ingress and egress filtering according to BCP38.  (Sorry about the typo 
in the subject lines of my previous message -- not everyone can get a 
BGP feed.)

(Or, when using Ubuntu server edition to implement edge routers.)

My earlier query was asking if anyone has encoded the blackhole routes 
in YAML for inserting in netplan(5).  My prior message contains the 
routes to be blackholed.  That takes care of egress routing.

(I think I can write a Python program to take my list and convert it to 
the YAML that netplan(5) wants to see.  That way, the routes are 
inserted when the public interface is up, and removed when the public 
interface is down.)

Ingress routing appears to be one-line addition.  IPTABLES can be told 
to weed out packets with unroutable source addresses.  My experiments 
will add something like this line to the firewall:

# iptables -A INPUT -m addrtype -i enp1s0 --src-type BLACKHOLE -j DROP

THIS HAS NOT BEEN VERIFIED.  I'm building a web server that will 
integrate this idea, and try it out.

• Previous message (by thread): View NANOG 82 Agenda + Your Voice Heard + Expo
• Next message (by thread): BCP38 on public-facing Ubuntu servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]