North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: source filtering (Re: rfc1918 ignorant)

  • From: Jared Mauch
  • Date: Thu Jul 24 11:05:33 2003

On Thu, Jul 24, 2003 at 01:44:33PM +0100, [email protected] wrote:
> On Wed, 23 Jul 2003, Jared Mauch wrote:
> 
> > 	I think you'll see more and more networks slowly over
> > time move closer to bcp38.   
> 
> Is there anywhere that this is recorded?  It would be interesting to see 
> what the actual state of play on implementation of BCP38 was.

	I can speak about the networks that I operate
with regards to this:

	AS2914 performs source filtering on a significant number
of our customers.  This coverage is not 100%, and sometimes is only
the 'loose' rpf check, but there are a significant number of customers
that have the strict rpf check that was enabled some time ago
without any problems  (we watched counters for drops, and looked at
the packets that were dropped to determine if there was some
asymetrical routing going on).  It was shocking how many t1 customers
that had a /28 or similar routed to them were spoofing address space
outside of the continent.

	I am personally trying to insure that our IPv6 infrastructure
begins with filtering in place instead of adding it on later
as an afterthought.

> > I believe that AT&T is the only "tier-1" provider that is in full
> > compliance with this.
> 
> We've asked other tier-1's about BCP38 and were completely underwhelmed by
> the response.  If you believe in the BCPs then I guess you just have to
> vote with your feet and try to use transit providers which comply with 
> them.  

	Well, i'm sure that some providers face the challenges
that some of the older router hardware can't do linerate filtering
for unicast-rpf.  It's sometimes dificult to get this stuff out
of the network as managment wants to extend the lifetime of
working hardware as long as possible to reduce capital expendetures.

	network security vs budgets.. /sigh.

	- jared

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.