So for someone like me who doesn't operate a transit network (ie: no
BGP), I should be able to safely enable this? I'm basically small blocks
of IPv4, some internal RIP for static routes and NAT.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 1/12/2015 12:54 PM, Dennis Burgess wrote:
The answer is yes, but if you are doing BGP, its very possible for you
to have outbound traffic but no inbound traffic. I.e. there are
gotchas. Normally I would not enable that and simply add a firewall
rule.
Dennis Burgess, CTO, Link Technologies, Inc.
den...@linktechs.net <mailto:den...@linktechs.net> – 314-735-0270 –
www.linktechs.net <http://www.linktechs.net>
*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory McCann
*Sent:* Monday, January 12, 2015 12:48 PM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] BCP38
Can you not accomplish the same thing with the RP_Filter option in
IP/Settings? I'm just asking - I don't know.
http://wiki.mikrotik.com/wiki/Manual:IP/Settings
Rory McCann
MKAP Technology Solutions
Web:www.mkap.net <http://www.mkap.net>
On 1/12/2015 11:46 AM, Dennis Burgess wrote:
Basically ,any IPs that SHOULD be sourced from your network. But
yes, the idea behind BCP38 is to block src address packets
originating from your network that SHOULD NOT. So yes, you should
already have those rules to not all traffic from your network if
it’s coming from a IP that should not come from your network, and
yes that would include any customer originated traffic.
An example, customer has 4 /19s and two /22s, plus has about 30
BGP peers for customer traffic.
The 5 prefixes would be allowed out, plus any prefixes learned by
the bgp peers. If there were two upstream on the same router,
both would have a line, if the SRC address is ! (not) customer
prefixes, including the 5 prefixes they use, then it would be
dropped on egress of the upstream ports. An example of this is
add action=drop chain=forward out-interface=ether17-internet
src-address-list=!Inside-IPs
The inside_ips list include the local prefixes and the customer
prefixes.
Dennis Burgess, CTO, Link Technologies, Inc.
den...@linktechs.net <mailto:den...@linktechs.net> – 314-735-0270
– www.linktechs.net <http://www.linktechs.net>
*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Ken Hohhof
*Sent:* Monday, January 12, 2015 10:55 AM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] BCP38
Yeah, I’m missing what the big deal is here. If you’re talking
about your border router to your upstream, why would you allow
outbound traffic with source IPs outside your IP blocks? Allow
your IPs, block the rest.
If you’re talking about other routers within your network and are
wanting to stop the traffic at the source, it could get more
complicated since I assume we all use some private IP space within
our networks for various purposes mostly management addresses on
network equipment.
Dennis mentions customer IPs, if you route customer blocks those
would also be allowed, based on an LOA.
*From:*Dennis Burgess <mailto:dmburg...@linktechs.net>
*Sent:*Monday, January 12, 2015 10:43 AM
*To:*af@afmug.com <mailto:af@afmug.com>
*Subject:*Re: [AFMUG] BCP38
Very simple. In MT we do an address list of all valid subnets
behind the core routers, this would include any prefixes that you
own or use, plus any BGP prefixes learned from your customers.
Then a simple, out interface (internet) drop if its not SRCed from
that list. Not exactly IP tables, but there ya go..
Dennis Burgess, CTO, Link Technologies, Inc.
den...@linktechs.net <mailto:den...@linktechs.net> – 314-735-0270
– www.linktechs.net <http://www.linktechs.net>
*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Sean Heskett
*Sent:* Monday, January 12, 2015 10:25 AM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] BCP38
Hey Mike,
Would you be willing to post an iptables statement that would drop
this traffic?
Thanks,
Sean
On Monday, January 12, 2015, Mike Hammett <af...@ics-il.net
<mailto:af...@ics-il.net>> wrote:
http://www.bcp38.info/index.php/Main_Page
Make sure you implement this in your networks. Drop all outbound
traffic to your upstream that is not from valid public IP space.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com