BCP38 For BGP Customers

• Previous message (by thread): BCP38 For BGP Customers
• Next message (by thread): BCP38 For BGP Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This may not exist yet, but what about a uRPF-like feature that uses RPKI, IRR, etc. instead of current BGP feed? 







----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Charles Rumford via NANOG" <nanog at nanog.org> 
To: nanog at nanog.org 
Sent: Monday, November 7, 2022 10:47:54 AM 
Subject: BCP38 For BGP Customers 

Hello - 

I'm are currently working on getting BCP38 filtering in place for our BGP 
customers. My current plan is to use the Juniper uRPF feature to filter out 
spoofed traffic based on the routing table. The mentality would be: "If you 
don't send us the prefix, then we don't accept the traffic". This has raised 
some issues amongst our network engineers regarding multi-homed customers. 

One of the issues raised was if a multi-homed BGP customer revoked a prefix from 
one of their peerings, but continued sending us traffic on the link then we 
would drop the traffic. 

I would like to hear what others are doing for BCP38 deployments for BGP 
customers. Are you taking the stance of "if you don't send us the prefix, then 
we don't accept the traffic"? Are you putting in some kind of fall back filter 
in based on something like IRR data? 

Thanks! 

-- 
Charles Rumford (he/his/him) 
Network Engineer | Deft 
1-312-268-9342 | charlesr at deft.com 
deft.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20221107/54226e3c/attachment.html>

• Previous message (by thread): BCP38 For BGP Customers
• Next message (by thread): BCP38 For BGP Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]