[bcop] Some ideas
Jan Zorz - ISOC
zorz at isoc.org
Fri Jul 5 07:16:57 CEST 2013
On 6/18/13 8:58 AM, Nash, Steve wrote:
> As a very early starting point, having scanned the ietf BCPs, I table the following.
Thnx for this ideas (and sorry for late reply, vacations tie in Europe ;) )
> I believe we need to consider both what the requirements should be,
> and also what incentives there might be for compliance.
> I suggest the emphasis should be on satisfying the world at large
> that the Internet community encourages its members to behave responsibly.
responsibility in behavior is crucial point.
> A secondary objective might be education for new operators.
...and this would make life of many other "old" operators quite easier,
> RIPE Implementation Requirements
> 1. INHIBIT ADDRESS SPOOFING
> 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for:
> 1. Single host
> 2. Non-Transit subnet
> 3. Registered sub-network transit (tell ISP of additional address spaces)
> 4. Open Transit (restrict to BGP?)
I think something like this is already on the table and a group forming
around that (Dave Freedman, Merike Kaeo, ...) after the antispoofing
roundtable at RIPE66 in Dublin.
> 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs
This is going to be a long discussion... Technically it's doable, but
the community needs to say "we wand spoofing on the probes".
> 1.3 [Consider] TCP/UDP/SCTP.... port filtering
> Accept DNS replies (src port 53) only from customers requesting DNS
> support. Block dest port 53 toward non-hosting clients.
This should be a separate document, describing just the DNS best
practices - how to setup DNS server as an ISP and how to secure it.
> 2. POLICIES FOR PEERING
> Register External Routing Policy in RIPE Db. Ask Peers to comply
> with this doc (? Inter-RIR ?) ? Apply route filtering
Wondering how many networks uses RPSL for creating filters...
> At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking
> 3. DNS POLICIES
> ?rfc 2870 (BCP 40)
> ?rfc 2219 BCP 17
> ?rfc 2182 BCP 16
> 4. POLICIES FOR EMAIL
> ?rfc 2505 (BCP 30)
Email server BCOP should be a separate document and I believe we have
quite an extensive knowledge and experience on this topic in this group,
do we? :)
More information about the BCOP