I believe the phrase is “all your internets are belong to us”
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 12, 2015 10:25 AM
To: af@afmug.com
Subject: Re: [AFMUG] BCP38
Remember when back in the early days, folks could announce “all your internets
are mine” and take down everything.
From: Ken Hohhofmailto:af...@kwisp.com
Sent: Monday, January 12, 2015 11:07 AM
To: af@afmug.commailto:af@afmug.com
Subject: Re: [AFMUG] BCP38
Depends on what you mean by “any prefixes learned by the bgp peers”.
I think most upstreams would manually configure route filters to control what
BGP advertisements to accept, and maybe also an ACL based on source IP.
Otherwise there’s too much risk a customer would advertise routes for non owned
blocks or bogons to you, either maliciously or by mistake, and you would
automatically install these routes and pass them on. Boom, you’re trying to
advertise 8.0.0.0/0 or 10.0.0.0/0 and also allowing source address spoofing
from those IPs, because your customer did something stupid.
Without an LOA and manual configuration, just advertising a route via BGP to
another ASN should not cause those routes to be accepted. Of course your
upstream probably has these same rules, so your customer would have to give you
an LOA that also goes to your upstream authorizing them to advertise those
blocks.
From: Dennis Burgessmailto:dmburg...@linktechs.net
Sent: Monday, January 12, 2015 11:46 AM
To: af@afmug.commailto:af@afmug.com
Subject: Re: [AFMUG] BCP38
Basically ,any IPs that SHOULD be sourced from your network. But yes, the idea
behind BCP38 is to block src address packets originating from your network that
SHOULD NOT. So yes, you should already have those rules to not all traffic
from your network if it’s coming from a IP that should not come from your
network, and yes that would include any customer originated traffic.
An example, customer has 4 /19s and two /22s, plus has about 30 BGP peers for
customer traffic.
The 5 prefixes would be allowed out, plus any prefixes learned by the bgp
peers. If there were two upstream on the same router, both would have a line,
if the SRC address is ! (not) customer prefixes, including the 5 prefixes they
use, then it would be dropped on egress of the upstream ports. An example of
this is
add action=drop chain=forward out-interface=ether17-internet
src-address-list=!Inside-IPs
The inside_ips list include the local prefixes and the customer prefixes.
Dennis Burgess, CTO, Link Technologies, Inc.
den...@linktechs.netmailto:den...@linktechs.net – 314-735-0270 –
www.linktechs.nethttp://www.linktechs.net
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ken Hohhof
Sent: Monday, January 12, 2015 10:55 AM
To: af@afmug.commailto:af@afmug.com
Subject: Re: [AFMUG] BCP38
Yeah, I’m missing what the big deal is here. If you’re talking about your
border router to your upstream, why would you allow outbound traffic with
source IPs outside your IP blocks? Allow your IPs, block the rest.
If you’re talking about other routers within your network and are wanting to
stop the traffic at the source, it could get more complicated since I assume we
all use some private IP space within our networks for various purposes mostly
management addresses on network equipment.
Dennis mentions customer IPs, if you route customer blocks those would also be
allowed, based on an LOA.
From: Dennis Burgessmailto:dmburg...@linktechs.net
Sent: Monday, January 12, 2015 10:43 AM
To: af@afmug.commailto:af@afmug.com
Subject: Re: [AFMUG] BCP38
Very simple. In MT we do an address list of all valid subnets behind the core
routers, this would include any prefixes that you own or use, plus any BGP
prefixes learned from your customers. Then a simple, out interface (internet)
drop if its not SRCed from that list. Not exactly IP tables, but there ya go..
Dennis Burgess, CTO, Link Technologies, Inc.
den...@linktechs.netmailto:den...@linktechs.net – 314-735-0270 –
www.linktechs.nethttp://www.linktechs.net
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Sean Heskett
Sent: Monday, January 12, 2015 10:25 AM
To: af@afmug.commailto:af@afmug.com
Subject: Re: [AFMUG] BCP38
Hey Mike,
Would you be willing to post an iptables statement that would drop this traffic?
Thanks,
Sean
On Monday, January 12, 2015, Mike Hammett
af...@ics-il.netmailto:af...@ics-il.net wrote:
http://www.bcp38.info/index.php/Main_Page
Make sure you implement this in your networks. Drop all outbound traffic to
your upstream that is not from valid public IP space.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient,please notify the sender
immediately by return e-mail, delete this e-mail and destroy any copies. Any
dissemination or use of this information by a