Home page logo
/

nanog logo nanog mailing list archives

Re: New ISP to market, BCP 38, and new tactics
From: Steve Bertrand <steve () ibctech ca>
Date: Thu, 29 Jan 2009 23:09:39 -0500

Raoul Bhatia [IPAX] wrote:
hello steve,

Steve Bertrand wrote:

I've done much research on RPSL, BCP 38, and other basic filter methods
(and from a systems standpoint, I always follow an
allow,allow,default-deny approach) , and I am willing to follow all
standards and recommended practises to ensure compliance with current
Internet standards.

did you receive off-list replies? do you mind replying with a summary
of your findings to the list? i would also be interested in this subject
thou i will not be able to work on this during the next couple of
months.

Yes, I did receive a few very kind off-list replies.

The feedback was based mainly on the fact that I have a small number of
address blocks, and few connections to the Internet. In summary:

- implement BCP 38 by using ACLs on outward facing interfaces by
permitting anything within my (or my client's) address space as source,
and log/deny the rest (which is my personal standard per my OP)

- on all client-connected interfaces, ensure that the prefix(es) you
supply them with is found in the source address for packets inbound, and
deny the rest

- for smaller *SPs, ACLs is the way to go, as with only a few prefixes
and a limited number of connections to the Internet, manual management
of filters is easily maintained. Inbound ACLs can be put in place when a
new client is provisioned, and for a small shop without the need or the
resources, strategies such as uRPF are not advised

- pay attention to uRPF ("and the like"), as manual ACL management is
not scalable. It pays to keep up with what the "big boys" are doing.
Having knowledge of scalable methods, while utilizing a basic approach
will allow for an easier transition in the event of quick
growth/acquisition/new job.

- ensure you only advertise your own block(s) via BGP. allow-allow-deny
approach

- regarding BGP, scrutinize, but deny-by-default anything longer than
/24. (With IPv6, I don't know of any standard, so I filter above /48 and
I have 1579 and 1422 routes with two peers)

The above is a summary of feedback from others. I have a few that I
already do personally, but remember that I don't even advertise my v4
space myself yet:

- peer with Cymru, and null route BOGONs
- implement a pull-up route
- on all interfaces, 'get rid of' inbound traffic with a source within BOGON
- inform clients of their broken VPN connections, when you see private
IP space being sent via their assigned default gateway (which of course
is just an alert, because it has already been null0'd)
- always develop the closest-match allow filters you can, and implement
with an explicit deny. If anything, for visual purposes
- never be afraid to ask for help
- be confident, but always assume someone knows more than you do
- and most important (IMHO), always acknowledge and be able to admit
when you have made a mistake.

Hopefully this summary is ok. Thanks to all those who did reply off-list.

Steve


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]