[bcop] Some ideas

Jan Zorz - ISOC zorz at isoc.org
Fri Jul 5 07:16:57 CEST 2013


On 6/18/13 8:58 AM, Nash, Steve wrote:
> As a very early starting point, having scanned the ietf BCPs,  I table the following.

Hi,

Thnx for this ideas (and sorry for late reply, vacations tie in Europe ;) )

> I believe we need to consider both what the requirements should be,
> and also what incentives there might be for compliance.

Good point.

> I suggest the emphasis should be on satisfying the world at large
> that  the Internet community encourages its members to behave responsibly.

responsibility in behavior is crucial point.

> A secondary objective might be education for new operators.

...and this would make life of many other "old" operators quite easier, 
would it?

>
> ==========================================
> RIPE Implementation Requirements
>
> 1. INHIBIT ADDRESS SPOOFING
>
> 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for:
> 	1. Single host
> 	2. Non-Transit subnet
> 	3. Registered sub-network transit (tell ISP of additional address spaces)
> 	4. Open Transit (restrict to BGP?)
> 	5......

I think something like this is already on the table and a group forming 
around that (Dave Freedman, Merike Kaeo, ...) after the antispoofing 
roundtable at RIPE66 in Dublin.

>
> 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs

This is going to be a long discussion... Technically it's doable, but 
the community needs to say "we wand spoofing on the probes".

>
> 1.3 [Consider] TCP/UDP/SCTP.... port filtering
>
> Accept DNS replies (src port 53) only from customers requesting DNS
> support. Block dest port 53 toward non-hosting clients.

This should be a separate document, describing just the DNS best 
practices - how to setup DNS server as an ISP and how to secure it.

>
>
>
> 2. POLICIES FOR PEERING
>
> Register External Routing Policy in RIPE Db. Ask Peers to comply
> with  this doc (? Inter-RIR ?) ? Apply route filtering

Wondering how many networks uses RPSL for creating filters...

>
> At IX ask Peers to maintain AS-MAC mapping, in order to facilitate  back-tracking
>
>
> 3. DNS POLICIES
> ?rfc 2870 (BCP 40)
> ?rfc 2219 BCP 17
> ?rfc 2182 BCP 16
>
>
> 4. POLICIES FOR EMAIL
> ?rfc 2505 (BCP 30)

Email server BCOP should be a separate document and I believe we have 
quite an extensive knowledge and experience on this topic in this group, 
do we? :)

Cheers, Jan



More information about the BCOP mailing list