BCP38 - Internet Death Penalty

[jbates at brightok.net (Jack Bates)]

On 3/27/2013 9:23 AM, Jay Ashworth wrote:
> Is BCP38 *not* well enough though out even for large and medium sized 
> carriers to adopt as contractual language, much less for FCC or 
> someone to impose upon them? If so, we should work on it further.

BCP38 could definitely use some work. It is correct as a general 
concept. It does not go into depth of the different available 
technologies and how they might be of use. For example, dhcp is nice, 
but it usually requires uRPF (sometimes with exceptions) depending on 
the vendor. If BGP filters are being applied, it is usually not hard to 
apply packet filtering according to the same route filters. Some NSPs 
use traditional ingress filtering, while others have uRPF enabled with 
exception lists. Some require that you send all networks, but set 
communities for networks you don't want routed yet allowed via uRPF 
(which usually means anyone connected to the same router as you will 
still route your way).

It's also not a bad idea for an ISP to deploy EGRESS filters if they do 
not offer BGP Transit services. This way they are not depending on their 
transit providers to handle spoof protection and they cover their entire 
network regardless of last mile ingress filtering. This doesn't 
generally work well when doing transit services of any size due to the 
number of egress filter updates you'd have to issue, but it is great for 
the small/medium ISP.


Jack