[191726] in North American Network Operators' Group
Re: Request for comment -- BCP38
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Mon Sep 26 11:07:46 2016
X-Original-To: nanog@nanog.org
Date: Mon, 26 Sep 2016 08:04:05 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: Stephen Satchell <list@satchell.net>
In-Reply-To: <3da98299-58bd-fee2-168d-56e680a81720@satchell.net>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--0z5c7mBtSy1wdr4F
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon 2016-Sep-26 07:47:50 -0700, Stephen Satchell <list@satchell.net> wro=
te:
>On 09/26/2016 07:11 AM, Paul Ferguson wrote:
>>No -- BCP38 only prescribes filtering outbound to ensure that no
>>packets leave your network with IP source addresses which are not
>>from within your legitimate allocation.
>
>So, to beat that horse to a fare-thee-well, to be BCP38 compliant I=20
>need, on every interface sending packets out to the internet, to=20
>block any source address matching a subnet in the BOGON list OR not=20
>matching any of my routeable network subnets? =20
TBF, I would assume that you don't have routable/allocated networks within=
=20
BOGON ranges, so just "if src in mynets permit else discard" covers both=20
sets.
>Plus add null-route entries for all the BOGONs in my routing table so I=20
>don't send a bad destination packet to my upstream?
I don't think that falls within the purview of BCP38 as BCP38 has to do=20
with source address filtering/verification rather than destination. If=20
you're running full tables and filtering BOGONs on BGP import, though, you=
=20
shouldn't have routes for BOGONs in your tables and with a 0/0 discard=20
should be dropping them anyway, but if you're not running full tables and=
=20
so need to "punch holes" in a static default, then explicit null-routes for=
=20
BOGON destinations would do it. Honestly, though: your upstream probably=
=20
drops BOGON destinations anyway, so dropping BOGON destinations within your=
=20
own network is just (a) good hygiene and (b) saves from your transit bill=
=20
however may bps of BOGON-destined traffic you have.
--=20
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal
--0z5c7mBtSy1wdr4F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJX6TjlAAoJEFsnhBAb2KmAbr8P/RhiDZgXI1SFcMT6X9lvxVbq
hz6GgnAvCo5uT/1YzUofjWXEie2TFy78WxxZfQaCRnHiB05JfpCJqG8DW+W1LXcn
l314RKpNr4kAKk8L334wSdZKfYZAXyguhNUHVKi0yoyvzSyZ/qeSbkH07ds6YEx2
MNVwgtHa0L8QzLFngRDJKPvasJfNCdo4UEHONvpvxlcmbMzCDY5wjqMD7SXJb1lW
xPAACdC9dMoa+bohO5psAaoh110E0kTOSKRwg/GnyvMnoNdfgxpquS6KYOYs3Uot
Mv2Jilc/QhqwyQPZX9QP5zNAS0jFuU3DLjBxD23R0a+WYwkGRozV3Fbg4hoNzmQi
ONeeT/0ePid/H5HZkFl55WaYKpwkpnLgMpcbdskKSikcmcLGroHXpJbmFiCahgon
MBZZWpjUNM1QZbTMDKv/sItruyIoLieOKWibqhui4HwQ1p0/4GbS3SoHkIj9Owxy
6dqzbV63BRhJvd/xMFzKU3jjpfTh/1/d+bUn3jDJEVMShBhQrlLWd/zOB0MEKgGw
hjw5ZRlNdB3W7g7xSVTE9C5c/O1AKm2NpFlS3DLKURdofLtKkkDCX0E6GFG7wDN4
GyhztQb0Tr2UfAw4WaH7pRXvIs0hTy5zUo6EJpXzOz1MqeqqJAcrIyfJnOV4DGCV
3Pu2Yai5mVjWQSJdmb/C
=fAVT
-----END PGP SIGNATURE-----
--0z5c7mBtSy1wdr4F--
