nanog mailing list archives

Re: Request for comment -- BCP38

From: "Jay R. Ashworth" <jra () baylink com>
Date: Sun, 2 Oct 2016 01:39:10 +0000 (UTC)

----- Original Message -----

From: "Florian Weimer" <fw () deneb enyo de>

* Jason Iannone:

Are urpf and bcp38 interchangeable terms in this discussion?  It seems
impractical and operationally risky to implement two unique ways to dos
customers.  What are the lessons learned by operators doing static output
filters, strict urpf, or loose/feasible urpf?


Historically (in 1998, when RFC 2267 was released), BCP 38 was an
egress filter applied at the AS boundary.


You meant ingress, no?

The control of the address space allocation resides with the upstream,
as must control of the filtering.

You *can* do BCP38 egress filtering on your network, but that filter
would *be in control of the Bad Guys* whom we're trying to kill off.

The filtering needs to be on the other side of the administrative
span of control fence.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274

Current thread:

Re: Request for comment -- BCP38 Jay R. Ashworth (Oct 01)
- <Possible follow-ups>
- Re: Request for comment -- BCP38 Jay R. Ashworth (Oct 01)
- Re: Request for comment -- BCP38 Jay R. Ashworth (Oct 01)
- Re: Request for comment -- BCP38 Jay R. Ashworth (Oct 01)
  - Re: Request for comment -- BCP38 Florian Weimer (Oct 02)
  - Re: Request for comment -- BCP38 Stephen Satchell (Oct 02)
- Re: Request for comment -- BCP38 Octavio Alvarez (Oct 02)
- Re: Request for comment -- BCP38 Jay Hennigan (Oct 02)