[191733] in North American Network Operators' Group
Re: Request for comment -- BCP38
daemon@ATHENA.MIT.EDU (Seth Mattinen)
Mon Sep 26 12:04:27 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Seth Mattinen <sethm@rollernet.us>
Date: Mon, 26 Sep 2016 09:01:50 -0700
In-Reply-To: <3da98299-58bd-fee2-168d-56e680a81720@satchell.net>
Errors-To: nanog-bounces@nanog.org
On 9/26/16 07:47, Stephen Satchell wrote:
> On 09/26/2016 07:11 AM, Paul Ferguson wrote:
>> No -- BCP38 only prescribes filtering outbound to ensure that no
>> packets leave your network with IP source addresses which are not
>> from within your legitimate allocation.
>
> So, to beat that horse to a fare-thee-well, to be BCP38 compliant I
> need, on every interface sending packets out to the internet, to block
> any source address matching a subnet in the BOGON list OR not matching
> any of my routeable network subnets? Plus add null-route entries for
> all the BOGONs in my routing table so I don't send a bad destination
> packet to my upstream?
I start with customer interfaces and configure them to only allow
traffic with a source address in their assigned subnet.
~Seth
