Re: BCP38 For BGP Customers

[William Herrin <bill () herrin us>]

On Mon, Nov 7, 2022 at 8:47 AM Charles Rumford via NANOG
<nanog () nanog org> wrote:
> I'm are currently working on getting BCP38 filtering in place for our BGP
> customers. My current plan is to use the Juniper uRPF feature to filter out
> spoofed traffic based on the routing table. The mentality would be: "If you
> don't send us the prefix, then we don't accept the traffic". This has raised
> some issues amongst our network engineers regarding multi-homed customers.

As it should. This plan will break asymmetric routing which is an
ordinary part of multihoming. Moreover, it would not actually
accomplish BCP 38 since the customer would be able to falsify route
announcements. So, basically a complete fail.

For a small BGP customer who has no downstreams of his own, implement
static filters based on the address ranges you have personally
authenticated as belonging to the customer. PERSONALLY AUTHENTICATED.
This means a manual process. The customer will have to
administratively inform you when those address ranges change.

For large BGP customers who service many BGP downstreams, the bottom
line is that BCP 38 cannot be reasonably implemented. It's one of the
weaknesses in the system.

Regards,
Bill Herrin



-- 
For hire. https://bill.herrin.us/resume/