Re: BCP38 For BGP Customers

[Matt Harris <matt () netfire net>]

Hey Charles,
My recommendation would not be to run uRPF facing a BGP customer.

That said, you have two issues to address here: one is the acceptance of
prefix advertisements, and the other is the acceptance of traffic.

uRPF does nothing to help with the former, and the gold standard there is
generally considered to be RPKI. IRR based filtering is another reasonable
way to filter prefix advertisements you receive, and several well-known
IX's and transit providers for example do just this.

The latter, acceptance of traffic, is a broader challenge. In essence, you
don't really have a good way to know what traffic is legitimate and what
isn't. My advice would be simply to watch for things you don't expect, log
them when they occur in significant quantity, and manually review incidents
that are unexpected to understand why. If you cannot understand why, then
you can work with the client sending the traffic to try to understand it,
or block that specific traffic from that specific client. uRPF on a client
circuit raises exactly the issues you've already raised. Many clients, even
smaller ones, who choose to run BGP sessions with transit providers will
wish to be able to employ common TE practices, and by deploying uRPF, you
may very well be creating a nasty situation for them which potentially is
also difficult for smaller shops without high end tooling in place to
diagnose easily.

- mdh


On Mon, Nov 7, 2022 at 1:22 PM Charles Rumford via NANOG <nanog () nanog org>
wrote:

> Hello -
>
> I'm are currently working on getting BCP38 filtering in place for our BGP
> customers. My current plan is to use the Juniper uRPF feature to filter
> out
> spoofed traffic based on the routing table. The mentality would be: "If
> you
> don't send us the prefix, then we don't accept the traffic". This has
> raised
> some issues amongst our network engineers regarding multi-homed customers.
>
> One of the issues raised was if a multi-homed BGP customer revoked a
> prefix from
> one of their peerings, but continued sending us traffic on the link then
> we
> would drop the traffic.
>
> I would like to hear what others are doing for BCP38 deployments for BGP
> customers. Are you taking the stance of "if you don't send us the prefix,
> then
> we don't accept the traffic"? Are you putting in some kind of fall back
> filter
> in based on something like IRR data?
>
> Thanks!
>
> --
> Charles Rumford (he/his/him)
> Network Engineer | Deft
> 1-312-268-9342 | charlesr () deft com
> deft.com

Matt Harris
VP OF INFRASTRUCTURE
Follow us on LinkedIn!
matt.harris () netfire net
816-256-5446
www.netfire.com