[bcop] Some ideas
- Next message (by thread): [bcop] First email to BCOP discussion list...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jan Zorz - ISOC
zorz at isoc.org
Fri Jul 5 07:16:57 CEST 2013
On 6/18/13 8:58 AM, Nash, Steve wrote: > As a very early starting point, having scanned the ietf BCPs, I table the following. Hi, Thnx for this ideas (and sorry for late reply, vacations tie in Europe ;) ) > I believe we need to consider both what the requirements should be, > and also what incentives there might be for compliance. Good point. > I suggest the emphasis should be on satisfying the world at large > that the Internet community encourages its members to behave responsibly. responsibility in behavior is crucial point. > A secondary objective might be education for new operators. ...and this would make life of many other "old" operators quite easier, would it? > > ========================================== > RIPE Implementation Requirements > > 1. INHIBIT ADDRESS SPOOFING > > 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for: > 1. Single host > 2. Non-Transit subnet > 3. Registered sub-network transit (tell ISP of additional address spaces) > 4. Open Transit (restrict to BGP?) > 5...... I think something like this is already on the table and a group forming around that (Dave Freedman, Merike Kaeo, ...) after the antispoofing roundtable at RIPE66 in Dublin. > > 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs This is going to be a long discussion... Technically it's doable, but the community needs to say "we wand spoofing on the probes". > > 1.3 [Consider] TCP/UDP/SCTP.... port filtering > > Accept DNS replies (src port 53) only from customers requesting DNS > support. Block dest port 53 toward non-hosting clients. This should be a separate document, describing just the DNS best practices - how to setup DNS server as an ISP and how to secure it. > > > > 2. POLICIES FOR PEERING > > Register External Routing Policy in RIPE Db. Ask Peers to comply > with this doc (? Inter-RIR ?) ? Apply route filtering Wondering how many networks uses RPSL for creating filters... > > At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking > > > 3. DNS POLICIES > ?rfc 2870 (BCP 40) > ?rfc 2219 BCP 17 > ?rfc 2182 BCP 16 > > > 4. POLICIES FOR EMAIL > ?rfc 2505 (BCP 30) Email server BCOP should be a separate document and I believe we have quite an extensive knowledge and experience on this topic in this group, do we? :) Cheers, Jan
- Next message (by thread): [bcop] First email to BCOP discussion list...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ BCOP Archives ]