nanog mailing list archives
Re: large BCP38 compliance testing
From: Jérôme Nicolle <jerome () ceriz fr>
Date: Thu, 02 Oct 2014 13:23:42 +0200
Le 02/10/2014 12:28, Nick Hilliard a écrit :
It would probably be more productive to pressurise transit providers to enforce bcp38 on their customer links.
This. But let me ask you, how many transit provider actually implement strict prefix-filtering ? I've seen many using a max-prefix as their sole defense. Now, let's consider what you want is to match an interface ACL to prefixes received on a BGP session runing through the same interface. Ain't that what uRPF-strict is all about ? What are the known downsides to uRPF-strict ? When buying from transits, you either update your IRR for automatic perfix-filter generation on your transit's side, or start by a "BGP over SMTP" session. While the former could generate ACLs from a template, the latter will be prone to human error. And still, how many of us _really_ ensure their IRRs are always up-to-date ? Next in line : IXPs. You never really know what routes will be available or has to be filtered when 800+ AS, most with customers also using BGP, starts talking to the same route-server. Or maybe, the route-server could provide a flowspec AFI to send filters AND routes simultaneously. Would you trust it ? Will your router have enough silicon-horse-power to match both IP _and_ L2 headers at line-rate ? BCP38 aims at spoof prevention by filtering as close to the source as possible. Implementation on network's edge looks to me like a tricky one. Sharing the load amongst CPE is the best practice, and could be considered a requirement enforced by transit providers. Or shouldn't it ? Best regards, -- Jérôme Nicolle
Current thread:
- large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Mikael Abrahamsson (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
- Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
- Re: large BCP38 compliance testing Barry Greene (Oct 02)
- Re: large BCP38 compliance testing Nick Hilliard (Oct 02)
- Re: large BCP38 compliance testing Andrei Robachevsky (Oct 02)
- Re: large BCP38 compliance testing Jérôme Nicolle (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Alain Hebert (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jared Mauch (Oct 02)
- Re: large BCP38 compliance testing Roland Dobbins (Oct 02)
- Re: large BCP38 compliance testing Jay Ashworth (Oct 03)
- Re: large BCP38 compliance testing Alain Hebert (Oct 06)