nanog mailing list archives
Re: BGP38 egress filter on Ubuntu Server
From: Grant Taylor via NANOG <nanog () nanog org>
Date: Wed, 2 Jun 2021 14:35:40 -0600
On 6/2/21 12:39 AM, William Herrin wrote:
I think you may be misunderstanding BCP 38. BCP 38 is about limiting -source- addresses. What you've described is bogon filtering on destination IP addresses. As far as I know, there's no BCP on bogon filtering although BCP 84 offers some relevant advice.
I agree.However I will add that it's trivial to extend the destination based filtering to be sourced based filtering by enabling reverse path filtering.
Adding the bogons as destinations to a routing table (that is processed) is compatible with reverse path filtering. Putting the bogons in IPTables / NFTables is incompatible with reverse path filtering.
Stephen: I've not done this with NetPlan but I do this on Linux and have found it to be extremely effective when combined with reverse path filtering. I have an EBGP feed from Team Cymru and augment it (additional routing tables) with (e-)DROP and federated Fail-2-Ban. I like it!
-- Grant. . . . unix || die
Current thread:
- BGP38 egress filter on Ubuntu Server Stephen Satchell (Jun 01)
- Re: BGP38 egress filter on Ubuntu Server Chriztoffer Hansen (Jun 01)
- Re: BGP38 egress filter on Ubuntu Server Chriztoffer Hansen (Jun 01)
- Re: BGP38 egress filter on Ubuntu Server William Herrin (Jun 01)
- Re: BGP38 egress filter on Ubuntu Server Grant Taylor via NANOG (Jun 02)
- Re: BGP38 egress filter on Ubuntu Server Chriztoffer Hansen (Jun 01)