nanog mailing list archives

Re: Request for comment -- BCP38

From: Jason Iannone <jason.iannone () gmail com>
Date: Tue, 27 Sep 2016 07:22:34 -0400

I have a question regarding language. We've seen bcp38 described as a
forwarding filter, preventing unallocated sources from leaving the AS.  I
understand that unicast reverse path forwarding checks support bcp38, but
urpf is an input check with significant technical differences from output
filters.

Are urpf and bcp38 interchangeable terms in this discussion?  It seems
impractical and operationally risky to implement two unique ways to dos
customers.  What are the lessons learned by operators doing static output
filters, strict urpf, or loose/feasible urpf?

For a new implementation, I assume the safe bet is to start with loose
urpf.  Even if it stops only some traffic it at least gives the network to
dip its toes and expose some customer brokenness.

Bcp38

From my allocation accept, else deny


Urpf loose

From route table exist accept, else deny


Urpf strict

From next hop interface true accept, else deny


On Sep 27, 2016 4:52 AM, "Florian Weimer" <fw () deneb enyo de> wrote:

* Baldur Norddahl:

This means we can receive some packet on transit port A and then route

out

a ICMP response on port B using the interface address from port A. But
transit B filters this ICMP packet because it has a source address
belonging to transit A.

Interesting.  But this looks like a feature request for the router
vendor, and not like an issue with BCP 38 filtering as such.


Can you quote an RFC for anything that the router is doing wrong? Is
there a requirement that a router must support source routing?


It's not an RFC conformance issue (several implementations of source
address selection are possible).  But it appears to make it rather
difficult to configure it in such a way it does what you need, and it
looks like a reasonable enhancement request.

In our case we actually did contact the vendor. Turns out that it will
do source routing but not for packets from the control plane. There is
no way to resolve the issue with the current software available to
us. The vendor is not priotizing fixing this as I am also unable to
point to any RFC that is being violated.


Source routing is not required to fix this.  Other options are using a
globally routed IP address for the source address (this can also be
used to conserve address space because the interface addresses will
not matter anymore), or chosing the interface address based on the
outgoing interface.

Current thread:

Request for comment -- BCP38 Stephen Satchell (Sep 26)
- Re: Request for comment -- BCP38 Paul Ferguson (Sep 26)
  - Re: Request for comment -- BCP38 Ken Chase (Sep 26)
    - Re: Request for comment -- BCP38 Hugo Slabbert (Sep 26)
    - Re: Request for comment -- BCP38 Laszlo Hanyecz (Sep 26)
    - Re: Request for comment -- BCP38 Mike Hammett (Sep 26)
    - Re: Request for comment -- BCP38 Baldur Norddahl (Sep 26)
    - Re: Request for comment -- BCP38 Florian Weimer (Sep 26)
    - Re: Request for comment -- BCP38 Baldur Norddahl (Sep 26)
    - Re: Request for comment -- BCP38 Florian Weimer (Sep 27)
    - Re: Request for comment -- BCP38 Jason Iannone (Sep 27)
    - Re: Request for comment -- BCP38 Florian Weimer (Sep 27)
    - Re: Request for comment -- BCP38 Stephen Satchell (Sep 27)
    - Re: Request for comment -- BCP38 Florian Weimer (Sep 27)
    - Re: Request for comment -- BCP38 Aled Morris (Sep 26)
    - Re: Request for comment -- BCP38 John Levine (Sep 26)
    - Re: Request for comment -- BCP38 Laszlo Hanyecz (Sep 26)
    - Re: Request for comment -- BCP38 Eliot Lear (Sep 26)
    - Re: Request for comment -- BCP38 Mark Andrews (Sep 26)
    - Re: Request for comment -- BCP38 Hugo Slabbert (Sep 26)
    - Re: Request for comment -- BCP38 John Levine (Sep 26)

(Thread continues...)