[151694] in North American Network Operators' Group
Re: BCP38 Deployment
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Mar 28 16:37:25 2012
Date: Wed, 28 Mar 2012 13:36:49 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: NANOG list <nanog@nanog.org>
Mail-Followup-To: NANOG list <nanog@nanog.org>
In-Reply-To: <4F736A04.20703@mtcc.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Mar 28, 2012 at 12:44:04PM -0700, Michael Thom=
as wrote:
> Except for the small problem that getting cheap home router box
> manufacturers to do just about anything is a pushing on string exercise.
> So if I want to a) protect my network and b) be a good netizen, I'm
> still going to want to do BCP 38 regardless of whether others violate
> a, b or both. Right?
BCP38 has nothing to do with a), doing it on your own network doesn't
really protect you from much of anything of note. It's all about
b), being a good citizen, and having a leg to stand on when you try
to convince others to do the same which will help protect you.
But the home router vendors aren't as hard to make move as you
think. True, the chance of them moving in response to the fact
that BCP38 exists, or that NANOG wants them to is zero. Nada,
zilch. However, there are some powerful companies that buy a lot
of boxes from these vendors. That free-to-the-subscriber box with
a Comcast, Verizon, Cox, Cable Vision, AT&T, SBC, or other provider
label on it is just a rebranded version of one of these devices.
If the guy buying several million dollars worth of the boxes showed
up and demanded this feature, it would be done. Once it's done for
them, it's a free "feature" they can market in the boxes at best-buy
to try and recover more of their development costs.
So in that sense we need to pressure the ISP's to implement BCP38!
Maybe I'm back to agreeing with the OP! However we need to pressure
them not to turn on RPF on their routers (although that's a fine
thing too, defense in depth and all, if they can they should), but
to pressure the vendors they are buying from to do it. The standards
bodies should also be pressured as well, to get it into the
specifications.
I think some engineers need to ask some interesting questions, like
how, in a box doing NAT to an outside IP, does it ever emit a packet
not from that outside IP? The fact that you can spoof packets
through some of the NAT implementations out there is mind-blowing
to me.
I'm telling you, if the big 10 ISP's would just add one bullet point
to their RFP's for equipment:
* Any device performing an IP routing function must default to strict
mode unicast RPF for all connected networks as specified in RFC 3704=20
Section 2.2 as a method of implementing BCP38.
We'd be done with this issue and move on to other things. Sure, there
would still be spoofed packets, and yes, other types of operators (like
free public wifi and such) still need to do the right BCP38 filtering
when configuring their systems...but just having this on all residential
gear gets rid of well over 90% of the crud we're all trying to stop.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT3N2YbN3O8aJIdTMAQKf4w/+Lm8A21PcKMlWky90gVNUYhaKxZlNb7nU
hNUD48zA1eoRLp7z4O2VlwwHT2xE5woaNoFwQMVAnB8sZIf36RuDb/aTVJovBmKe
kyipqbrkdi2iCyIaO5pg02fYbYPBJOJL6wq/YIa8Z32ta5/ZcQuyMjETueScOr4v
z6gTqSgWUUIi4qiyKwipeKSLkOraRrqe71K2ExRRTt+PKnPp0VICRUw4xS7km7X2
dYYWKYgi2QNFsvGc6YvI06EAM5Cn4wdZ4A2CCtdvhJeMSPrRbHSPHWdQKT/b92uj
z8qWLrXjF+p+xPQ6jIAKhfdsLrC2tq0cF9Q+cWCK+5wmHY1BG7tIR68GGQrHPA0I
C5P/XjEGHae31/trXZFpE0/kFT5zvmkKeOdrEOM1nUaskM3GmzOxOxyWLRlNsIPn
YfDzNqy1ptlaS9m0bzKcJ/NWWej4t/lFyphE1dlEH4ztHgSVHgogHfgZmZAwKw6C
v3Yf2b1wa5DiuO0jTmz2R+4NKzfzYsheup4RRwJGU19ChEo1UVCkVBCXV32BI0YH
Wwf/lLWE4QY4uHfy9aId/V871jhO06r/+/I86GSjmjzwo2LgsvJQM1sF04r8mrkv
AwFZgRFSHDRr8dQwawEF/BB8QeP6JeUJrQFoQ0mCBWySrLNEEnWaFMSkiAR0KzUP
k63BeYnCWmQ=
=IrCh
-----END PGP SIGNATURE-----
--EVF5PPMfhYS0aIcm--
