Re: BCP38 - Internet Death Penalty

[Mark Andrews <marka () isc org>]

In message <515309EC.4070402 () brightok net>, Jack Bates writes:
> On 3/27/2013 9:23 AM, Jay Ashworth wrote:
> > Is BCP38 *not* well enough though out even for large and medium sized 
> > carriers to adopt as contractual language, much less for FCC or 
> > someone to impose upon them? If so, we should work on it further.
>
> BCP38 could definitely use some work. It is correct as a general 
> concept. It does not go into depth of the different available 
> technologies and how they might be of use. For example, dhcp is nice, 
> but it usually requires uRPF (sometimes with exceptions) depending on 
> the vendor. If BGP filters are being applied, it is usually not hard to 
> apply packet filtering according to the same route filters. Some NSPs 
> use traditional ingress filtering, while others have uRPF enabled with 
> exception lists. Some require that you send all networks, but set 
> communities for networks you don't want routed yet allowed via uRPF 
> (which usually means anyone connected to the same router as you will 
> still route your way).

Technologies change.  Concepts rarely do.  BCP38 is technology neutral.
 
> It's also not a bad idea for an ISP to deploy EGRESS filters if they do 
> not offer BGP Transit services. This way they are not depending on their 
> transit providers to handle spoof protection and they cover their entire 
> network regardless of last mile ingress filtering. This doesn't 
> generally work well when doing transit services of any size due to the 
> number of egress filter updates you'd have to issue, but it is great for 
> the small/medium ISP.

EGRESS filters are just INGRESS filters applied a couple of hops later.
 
> Jack
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org