nanog mailing list archives

Re: source filtering (Re: rfc1918 ignorant)

From: Jared Mauch <jared () puck Nether net>
Date: Thu, 24 Jul 2003 11:04:43 -0400


On Thu, Jul 24, 2003 at 01:44:33PM +0100, variable () ednet co uk wrote:

On Wed, 23 Jul 2003, Jared Mauch wrote:

    I think you'll see more and more networks slowly over
time move closer to bcp38.


Is there anywhere that this is recorded?  It would be interesting to see 
what the actual state of play on implementation of BCP38 was.


        I can speak about the networks that I operate
with regards to this:

        AS2914 performs source filtering on a significant number
of our customers.  This coverage is not 100%, and sometimes is only
the 'loose' rpf check, but there are a significant number of customers
that have the strict rpf check that was enabled some time ago
without any problems  (we watched counters for drops, and looked at
the packets that were dropped to determine if there was some
asymetrical routing going on).  It was shocking how many t1 customers
that had a /28 or similar routed to them were spoofing address space
outside of the continent.

        I am personally trying to insure that our IPv6 infrastructure
begins with filtering in place instead of adding it on later
as an afterthought.

I believe that AT&T is the only "tier-1" provider that is in full
compliance with this.


We've asked other tier-1's about BCP38 and were completely underwhelmed by
the response.  If you believe in the BCPs then I guess you just have to
vote with your feet and try to use transit providers which comply with 
them.


        Well, i'm sure that some providers face the challenges
that some of the older router hardware can't do linerate filtering
for unicast-rpf.  It's sometimes dificult to get this stuff out
of the network as managment wants to extend the lifetime of
working hardware as long as possible to reduce capital expendetures.

        network security vs budgets.. /sigh.

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Current thread:

rfc1918 ignorant Frank Louwers (Jul 23)
- Re: rfc1918 ignorant David Lesher (Jul 23)
- Re: rfc1918 ignorant Vinny Abello (Jul 23)
  - Re: rfc1918 ignorant Haesu (Jul 23)
- Re: rfc1918 ignorant Henk Uijterwaal (RIPE-NCC) (Jul 23)
- <Possible follow-ups>
- re: rfc1918 ignorant Dave Temkin (Jul 23)
  - re: rfc1918 ignorant variable (Jul 23)
    - source filtering (Re: rfc1918 ignorant) Jared Mauch (Jul 23)
    - Re: source filtering (Re: rfc1918 ignorant) variable (Jul 24)
    - Re: source filtering (Re: rfc1918 ignorant) Jared Mauch (Jul 24)
    - RE: rfc1918 ignorant David Schwartz (Jul 23)
    - RE: rfc1918 ignorant Dave Temkin (Jul 23)
    - Re: rfc1918 ignorant Lyndon Nerenberg (Jul 23)
    - Re: rfc1918 ignorant Dave Temkin (Jul 23)
    - Re: rfc1918 ignorant Lyndon Nerenberg (Jul 23)
    - Re: rfc1918 ignorant Kevin Oberman (Jul 23)
    - Re: rfc1918 ignorant Dave Temkin (Jul 23)
    - Re: rfc1918 ignorant Petri Helenius (Jul 23)
    - Re: rfc1918 ignorant John Palmer (Jul 23)
    - Re: rfc1918 ignorant Petri Helenius (Jul 23)

(Thread continues...)