nanog mailing list archives
Re: source filtering (Re: rfc1918 ignorant)
From: Jared Mauch <jared () puck Nether net>
Date: Thu, 24 Jul 2003 11:04:43 -0400
On Thu, Jul 24, 2003 at 01:44:33PM +0100, variable () ednet co uk wrote:
On Wed, 23 Jul 2003, Jared Mauch wrote:I think you'll see more and more networks slowly over time move closer to bcp38.Is there anywhere that this is recorded? It would be interesting to see what the actual state of play on implementation of BCP38 was.
I can speak about the networks that I operate with regards to this: AS2914 performs source filtering on a significant number of our customers. This coverage is not 100%, and sometimes is only the 'loose' rpf check, but there are a significant number of customers that have the strict rpf check that was enabled some time ago without any problems (we watched counters for drops, and looked at the packets that were dropped to determine if there was some asymetrical routing going on). It was shocking how many t1 customers that had a /28 or similar routed to them were spoofing address space outside of the continent. I am personally trying to insure that our IPv6 infrastructure begins with filtering in place instead of adding it on later as an afterthought.
I believe that AT&T is the only "tier-1" provider that is in full compliance with this.We've asked other tier-1's about BCP38 and were completely underwhelmed by the response. If you believe in the BCPs then I guess you just have to vote with your feet and try to use transit providers which comply with them.
Well, i'm sure that some providers face the challenges that some of the older router hardware can't do linerate filtering for unicast-rpf. It's sometimes dificult to get this stuff out of the network as managment wants to extend the lifetime of working hardware as long as possible to reduce capital expendetures. network security vs budgets.. /sigh. - jared -- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- rfc1918 ignorant Frank Louwers (Jul 23)
- Re: rfc1918 ignorant David Lesher (Jul 23)
- Re: rfc1918 ignorant Vinny Abello (Jul 23)
- Re: rfc1918 ignorant Haesu (Jul 23)
- Re: rfc1918 ignorant Henk Uijterwaal (RIPE-NCC) (Jul 23)
- <Possible follow-ups>
- re: rfc1918 ignorant Dave Temkin (Jul 23)
- re: rfc1918 ignorant variable (Jul 23)
- source filtering (Re: rfc1918 ignorant) Jared Mauch (Jul 23)
- Re: source filtering (Re: rfc1918 ignorant) variable (Jul 24)
- Re: source filtering (Re: rfc1918 ignorant) Jared Mauch (Jul 24)
- re: rfc1918 ignorant variable (Jul 23)
- RE: rfc1918 ignorant David Schwartz (Jul 23)
- RE: rfc1918 ignorant Dave Temkin (Jul 23)
- Re: rfc1918 ignorant Lyndon Nerenberg (Jul 23)
- Re: rfc1918 ignorant Dave Temkin (Jul 23)
- Re: rfc1918 ignorant Lyndon Nerenberg (Jul 23)
- Re: rfc1918 ignorant Kevin Oberman (Jul 23)
- Re: rfc1918 ignorant Dave Temkin (Jul 23)
- Re: rfc1918 ignorant Petri Helenius (Jul 23)
- Re: rfc1918 ignorant John Palmer (Jul 23)
- Re: rfc1918 ignorant Petri Helenius (Jul 23)