North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: source filtering (Re: rfc1918 ignorant)
On Thu, Jul 24, 2003 at 01:44:33PM +0100, [email protected] wrote: > On Wed, 23 Jul 2003, Jared Mauch wrote: > > > I think you'll see more and more networks slowly over > > time move closer to bcp38. > > Is there anywhere that this is recorded? It would be interesting to see > what the actual state of play on implementation of BCP38 was. I can speak about the networks that I operate with regards to this: AS2914 performs source filtering on a significant number of our customers. This coverage is not 100%, and sometimes is only the 'loose' rpf check, but there are a significant number of customers that have the strict rpf check that was enabled some time ago without any problems (we watched counters for drops, and looked at the packets that were dropped to determine if there was some asymetrical routing going on). It was shocking how many t1 customers that had a /28 or similar routed to them were spoofing address space outside of the continent. I am personally trying to insure that our IPv6 infrastructure begins with filtering in place instead of adding it on later as an afterthought. > > I believe that AT&T is the only "tier-1" provider that is in full > > compliance with this. > > We've asked other tier-1's about BCP38 and were completely underwhelmed by > the response. If you believe in the BCPs then I guess you just have to > vote with your feet and try to use transit providers which comply with > them. Well, i'm sure that some providers face the challenges that some of the older router hardware can't do linerate filtering for unicast-rpf. It's sometimes dificult to get this stuff out of the network as managment wants to extend the lifetime of working hardware as long as possible to reduce capital expendetures. network security vs budgets.. /sigh. - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.