[161827] in North American Network Operators' Group
Re: BCP38 - Internet Death Penalty
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Mar 27 11:26:39 2013
To: Jack Bates <jbates@brightok.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 27 Mar 2013 10:02:04 CDT."
<515309EC.4070402@brightok.net>
Date: Thu, 28 Mar 2013 02:25:55 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <515309EC.4070402@brightok.net>, Jack Bates writes:
> On 3/27/2013 9:23 AM, Jay Ashworth wrote:
> > Is BCP38 *not* well enough though out even for large and medium sized
> > carriers to adopt as contractual language, much less for FCC or
> > someone to impose upon them? If so, we should work on it further.
>
> BCP38 could definitely use some work. It is correct as a general
> concept. It does not go into depth of the different available
> technologies and how they might be of use. For example, dhcp is nice,
> but it usually requires uRPF (sometimes with exceptions) depending on
> the vendor. If BGP filters are being applied, it is usually not hard to
> apply packet filtering according to the same route filters. Some NSPs
> use traditional ingress filtering, while others have uRPF enabled with
> exception lists. Some require that you send all networks, but set
> communities for networks you don't want routed yet allowed via uRPF
> (which usually means anyone connected to the same router as you will
> still route your way).
Technologies change. Concepts rarely do. BCP38 is technology neutral.
> It's also not a bad idea for an ISP to deploy EGRESS filters if they do
> not offer BGP Transit services. This way they are not depending on their
> transit providers to handle spoof protection and they cover their entire
> network regardless of last mile ingress filtering. This doesn't
> generally work well when doing transit services of any size due to the
> number of egress filter updates you'd have to issue, but it is great for
> the small/medium ISP.
EGRESS filters are just INGRESS filters applied a couple of hops later.
> Jack
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
