nanog mailing list archives
Re: Request for comment -- BCP38
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 27 Sep 2016 13:36:39 +0200
* Jason Iannone:
I have a question regarding language. We've seen bcp38 described as a forwarding filter, preventing unallocated sources from leaving the AS. I understand that unicast reverse path forwarding checks support bcp38, but urpf is an input check with significant technical differences from output filters. Are urpf and bcp38 interchangeable terms in this discussion? It seems impractical and operationally risky to implement two unique ways to dos customers. What are the lessons learned by operators doing static output filters, strict urpf, or loose/feasible urpf?
Historically (in 1998, when RFC 2267 was released), BCP 38 was an egress filter applied at the AS boundary. A complainant would be able to identify the AS by looking at the IP address and contact the relevant ISP. Within the AS, that ISP could identify the actual packet source by other means. Reverse-path forwarding checks were explicitly ruled out as likely infeasible even in RFC 2267, except for links which are essentially dialups. Current terminology is more complicated. Personally, I think that mandating specific approaches such as BCP 38 or uRPF does not work. The goal should be to cut down spoofed traffic. Whether this is done by contracts (which are adhered to, obviously), monitoring or immediate technical enforcement in the routers, does not matter at all.
For a new implementation, I assume the safe bet is to start with loose urpf. Even if it stops only some traffic it at least gives the network to dip its toes and expose some customer brokenness.
If loose uRPF is effective at all depends a lot on network architecture.
Current thread:
- Re: Request for comment -- BCP38, (continued)
- Re: Request for comment -- BCP38 Paul Ferguson (Sep 26)
- Re: Request for comment -- BCP38 Ken Chase (Sep 26)
- Re: Request for comment -- BCP38 Hugo Slabbert (Sep 26)
- Re: Request for comment -- BCP38 Laszlo Hanyecz (Sep 26)
- Re: Request for comment -- BCP38 Mike Hammett (Sep 26)
- Re: Request for comment -- BCP38 Baldur Norddahl (Sep 26)
- Re: Request for comment -- BCP38 Florian Weimer (Sep 26)
- Re: Request for comment -- BCP38 Baldur Norddahl (Sep 26)
- Re: Request for comment -- BCP38 Florian Weimer (Sep 27)
- Re: Request for comment -- BCP38 Jason Iannone (Sep 27)
- Re: Request for comment -- BCP38 Florian Weimer (Sep 27)
- Re: Request for comment -- BCP38 Stephen Satchell (Sep 27)
- Re: Request for comment -- BCP38 Florian Weimer (Sep 27)
- Re: Request for comment -- BCP38 Ken Chase (Sep 26)
- Re: Request for comment -- BCP38 Paul Ferguson (Sep 26)
- Re: Request for comment -- BCP38 Aled Morris (Sep 26)
- Re: Request for comment -- BCP38 John Levine (Sep 26)
- Re: Request for comment -- BCP38 Laszlo Hanyecz (Sep 26)
- Re: Request for comment -- BCP38 Eliot Lear (Sep 26)
- Re: Request for comment -- BCP38 Mark Andrews (Sep 26)
- Re: Request for comment -- BCP38 Hugo Slabbert (Sep 26)
- Re: Request for comment -- BCP38 John Levine (Sep 26)
- Re: Request for comment -- BCP38 Mike Hammett (Sep 26)