[191883] in North American Network Operators' Group
Re: Request for comment -- BCP38
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Sun Oct 2 00:05:37 2016
X-Original-To: nanog@nanog.org
Date: Sun, 2 Oct 2016 01:39:10 +0000 (UTC)
From: "Jay R. Ashworth" <jra@baylink.com>
To: North American Network Operators' Group <nanog@nanog.org>
In-Reply-To: <87shsly3p4.fsf@mid.deneb.enyo.de>
Errors-To: nanog-bounces@nanog.org
----- Original Message -----
> From: "Florian Weimer" <fw@deneb.enyo.de>
> * Jason Iannone:
>> Are urpf and bcp38 interchangeable terms in this discussion? It seems
>> impractical and operationally risky to implement two unique ways to dos
>> customers. What are the lessons learned by operators doing static output
>> filters, strict urpf, or loose/feasible urpf?
>
> Historically (in 1998, when RFC 2267 was released), BCP 38 was an
> egress filter applied at the AS boundary.
You meant ingress, no?
The control of the address space allocation resides with the upstream,
as must control of the filtering.
You *can* do BCP38 egress filtering on your network, but that filter
would *be in control of the Bad Guys* whom we're trying to kill off.
The filtering needs to be on the other side of the administrative
span of control fence.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
