[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

an effect of ignoring BCP38

Subject: an effect of ignoring BCP38
From: pekkas at netcore.fi (Pekka Savola)
Date: Thu, 11 Sep 2008 10:59:50 +0300 (EEST)
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <00d501c90e99$ffb4e480$ff1ead80$@com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected].> <[email protected]> <[email protected]>

On Thu, 11 Sep 2008, Jo Rhett wrote:
> I've been in, near, or directly in touch with enough big provider NOCs in the 
> last year on various DoS attach research issues, and nearly nobody... that's 
> right NONE of them were using BCP38 consistently.  Name the five biggest 
> providers you can think of.  They ain't doing it.   Now name the five best 
> transit providers you can think of.  They ain't doing it either.  (note that 
> all of these claimed to be doing so in that survey, but during attack 
> research they admitted that it was only in small deployments)
>
> If someone told me (truthfully) that there was 10% BCP38 compliance out 
> there, I'd be surprised given what I have observed.

A problem I have with these discussions is that everyone has their own 
idea what "BCP38" implies.  Others say their loose-mode uRPF setups 
are "BCP38".  Others are using strict uRPF or similar (e.g. acls). 
Some think that Tier1 transit operators should apply one of the 
options above to their tier2 customers.  Others think it should just 
be applied at the site-edges.  Some don't consider spoofing protection 
at LAN interface level at all, others call that also BCP38.  Etc.

Your note above seems to imply that you would expect the five best 
transit providers you think of to apply BCP38 (strict?) to their 
customers.  Even if the customer is a major ISP?  (However, if your 
argument is about a smallish end-site, I'd agree spoofing protection 
should be applied there.)

FWIW, I've tested what would happen if I were to enable strict-mode 
(feasible paths) uRPF on an Internet exchange (all peerings).  If I 
recall correctly, the amount of dropped packets would have been in the 
order of 1%.  We decided not to do it.  Maybe those "five biggest 
providers you can think of" have similar experiences with their 
biggest customers?

Loose mode URPF is seems (IMHO) pretty much waste of time and is 
confusing the discussion about real spoofing protection.  The added 
protection compared to ACLs that drop private and possibly bogons is 
not that big and it causes transient losses when the routing tables 
are changing.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- an effect of ignoring BCP38
  - From: jrhett at netconsonance.com (Jo Rhett)

References:
- Force10 Gear - Opinions
  - From: jrhett at netconsonance.com (Jo Rhett)
- Force10 Gear - Opinions
  - From: pauldotwall at gmail.com (Paul Wall)
- Force10 Gear - Opinions
  - From: james at towardex.com (James Jun)
- BCP38 dismissal
  - From: jrhett at netconsonance.com (Jo Rhett)
- BCP38 dismissal
  - From: ge at linuxbox.org (Gadi Evron)
- BCP38 dismissal
  - From: patrick at ianai.net (Patrick W. Gilmore)
- BCP38 dismissal
  - From: ge at linuxbox.org (Gadi Evron)
- an effect of ignoring BCP38
  - From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
- an effect of ignoring BCP38
  - From: kc at caida.org (k claffy)
- an effect of ignoring BCP38
  - From: jrhett at netconsonance.com (Jo Rhett)

Prev by Date: BCP38 dismissal
Next by Date: an effect of ignoring BCP38
Previous by thread: an effect of ignoring BCP38
Next by thread: an effect of ignoring BCP38
Index(es):
- Date
- Thread