BGP38 egress filter on Ubuntu Server

• Previous message (by thread): BGP38 egress filter on Ubuntu Server
• Next message (by thread): View NANOG 82 Agenda + Your Voice Heard + Expo
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/2/21 12:39 AM, William Herrin wrote:
> I think you may be misunderstanding BCP 38. BCP 38 is about limiting 
> -source- addresses. What you've described is bogon filtering on 
> destination IP addresses. As far as I know, there's no BCP on bogon 
> filtering although BCP 84 offers some relevant advice.

I agree.

However I will add that it's trivial to extend the destination based 
filtering to be sourced based filtering by enabling reverse path filtering.

Adding the bogons as destinations to a routing table (that is processed) 
is compatible with reverse path filtering.  Putting the bogons in 
IPTables / NFTables is incompatible with reverse path filtering.

Stephen:  I've not done this with NetPlan but I do this on Linux and 
have found it to be extremely effective when combined with reverse path 
filtering.  I have an EBGP feed from Team Cymru and augment it 
(additional routing tables) with (e-)DROP and federated Fail-2-Ban.  I 
like it!



-- 
Grant. . . .
unix || die

• Previous message (by thread): BGP38 egress filter on Ubuntu Server
• Next message (by thread): View NANOG 82 Agenda + Your Voice Heard + Expo
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]