BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

[Hugo Slabbert <hugo () slabnet com>]

On Sun 2016-Sep-25 15:59:15 -0700, Stephen Satchell <list () satchell net> wrote:

> On 09/25/2016 07:32 AM, Jay R. Ashworth wrote:
> > > From: "Jay Farrell via NANOG" <nanog () nanog org>
> > > > And of course Brian Krebs has a thing or two to say, not the least is which
> > > > to push for BCP38 (good luck with that, right?).
> > > >
> > > > https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
> > Well, given how few contributions we've gotten at bcp38.info in the last,
> > what, 4 years, yeah, I guess so...
>
> Yeah, right.  I looked at BCP38.info, and there is very little 
> concrete information.  I've been slogging through the two RFCs, 2827 
> and 3794, and find it tough sledding to extract the nuggets to put 
> into my firewall and routing table.  One of the more interesting new 
> additions to my systems is this, to the routing tables:
### snip ###
> In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY 
> filtering system -- BSD, Linux, Cisco.

I am guilty of not yet contributing cookbook-type info to BCP38.info, but:

Cisco:
http://www.bcp38.info/index.php/HOWTO:Cisco points at 
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

Juniper:
https://www.juniper.net/documentation/en_US/junos14.2/topics/usage-guidelines/interfaces-configuring-unicast-rpf.html
http://www.juniper.net/documentation/en_US/junos15.1/topics/topic-map/unicast-rpf.html

Linux:
From /etc/sysctl.conf:

# Uncomment the next two lines to enable Spoof protection (reverse-path 
# filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

Unfortunately, the net.ipv6 equivalents for those do not yet seem to be a 
thing on Linux.

For a belt-and-suspenders approach:
If you're running an edge network and not transiting traffic for any other 
AS, consider using your assigned aggregates prefix lists to filter on 
egress on your edge for anything not sourced from those aggregates.

I'm curious as to the deployment scope and experiences of various sizes of 
networks in deploying the following:

1.  Strict uRPF on customer-facing ports on edge networks

2.  Source address filtering on upstream edge egress based on assigned 
aggregates

3.  Destination address filtering on upstream edge ingress based on 
assigned aggregates

--
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal

Attachment: signature.asc
Description: