[bcop] Some ideas
snash at arbor.net
Tue Jun 18 08:58:33 CEST 2013
As a very early starting point, having scanned the ietf BCPs, I table the following.
I believe we need to consider both what the requirements should be, and also what incentives there might be for compliance.
I suggest the emphasis should be on satisfying the world at large that the Internet community encourages its members to behave responsibly.
A secondary objective might be education for new operators.
RIPE Implementation Requirements
1. INHIBIT ADDRESS SPOOFING
1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for:
1. Single host
2. Non-Transit subnet
3. Registered sub-network transit (tell ISP of additional address spaces)
4. Open Transit (restrict to BGP?)
1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs
1.3 [Consider] TCP/UDP/SCTP.... port filtering
Accept DNS replies (src port 53) only from customers requesting DNS support. Block dest port 53 toward non-hosting clients.
2. POLICIES FOR PEERING
Register External Routing Policy in RIPE Db. Ask Peers to comply with this doc (? Inter-RIR ?) ? Apply route filtering
At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking
3. DNS POLICIES
?rfc 2870 (BCP 40)
?rfc 2219 BCP 17
?rfc 2182 BCP 16
4. POLICIES FOR EMAIL
?rfc 2505 (BCP 30)
17 June 2013
steve.nash at theiet.org
More information about the BCOP