nanog mailing list archives

Re: large BCP38 compliance testing

From: Nick Hilliard <nick () foobar org>
Date: Thu, 02 Oct 2014 12:35:35 +0100

On 02/10/2014 12:23, Jérôme Nicolle wrote:

This. But let me ask you, how many transit provider actually implement
strict prefix-filtering ? I've seen many using a max-prefix as their
sole defense.

Plenty do and have no back-end capability to handle this, other than emailupdates.

Now, let's consider what you want is to match an interface ACL to
prefixes received on a BGP session runing through the same interface.
Ain't that what uRPF-strict is all about ? What are the known downsides
to uRPF-strict ?

Your bgp announcement to your upstream is not guaranteed to be there allthe time. E.g. if you're doing maintenance and stop announcing bgp to yourupstream for inbound traffic, but still want to depend on it for outboundtraffic, urpf will trash things.


urpf is only feasible for statically configured hand-offs.

When buying from transits, you either update your IRR for automatic
perfix-filter generation on your transit's side, or start by a "BGP over
SMTP" session. While the former could generate ACLs from a template, the
latter will be prone to human error. And still, how many of us _really_
ensure their IRRs are always up-to-date ?


This only happens when there is a reason to do so.

Next in line : IXPs. You never really know what routes will be available
or has to be filtered when 800+ AS, most with customers also using BGP,
starts talking to the same route-server. Or maybe, the route-server
could provide a flowspec AFI to send filters AND routes simultaneously.

IXPs are more difficult, but if your IXP is running a route server, theyshould be implementing strict prefix filtering. At least, this putspressure on IXP participants to register their prefix at their local irrdb.

Would you trust it ? Will your router have enough silicon-horse-power to
match both IP _and_ L2 headers at line-rate ?

probably yes on most routers with dedicated hardware for this, but it willdepend on the number of acl entries.

BCP38 aims at spoof prevention by filtering as close to the source as
possible. Implementation on network's edge looks to me like a tricky
one. Sharing the load amongst CPE is the best practice, and could be
considered a requirement enforced by transit providers. Or shouldn't it ?

urpf is appropriate for the ISP last hop. Static filters are suitable forthe transit provider connecting that ISP to the rest of the network.


Nick

Current thread:

large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
  - Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
    - Re: large BCP38 compliance testing Barry Greene (Oct 02)
    - Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
  - Re: large BCP38 compliance testing Andrei Robachevsky (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
  - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
    - Re: large BCP38 compliance testing Alain Hebert (Oct 02)
    - Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
    - Re: large BCP38 compliance testing Jared Mauch (Oct 02)
  - Re: large BCP38 compliance testing Jay Ashworth (Oct 03)
    - Re: large BCP38 compliance testing Alain Hebert (Oct 06)
    - Re: large BCP38 compliance testing Jay Ashworth (Oct 12)
- Re: large BCP38 compliance testing Valdis . Kletnieks (Oct 02)

(Thread continues...)