From zorz at isoc.org Sun Jun 16 17:19:52 2013 From: zorz at isoc.org (Jan Zorz - ISOC) Date: Sun, 16 Jun 2013 17:19:52 +0200 Subject: [bcop] First email to BCOP discussion list... Message-ID: <51BDD798.1040209@isoc.org> Hi all, Finally we have a mailing list (thnx to staff @RIPE-NCC) that we identified as one of the first next steps at BOF in Dublin RIPE meeting. Please send emails to: bcop at ripe.net This is the place, where we can discuss how to move forward with the Best Current Operational Practices work, how to maybe move it forward towards more official status, who is willing to participate and start the documents - but first of all - we agreed that we need to identify the topics of discussion. First few that I heard were: - source addr antispoofing operational practices - peering good practices - how to implement IPv6 at ISP (different network types and flavors) - DNSsec how-to and practices ... I would like to invite all to send suggestions so we can identify the topics - and then we can see later where we can start some effort and form a groups that would start producing a documentation. Thank you all for participating at BOF, we are aiming for another BOF in Athens (this time with beer and chips in the room, as the BOF should be :) ) Cheers, Jan Zorz From snash at arbor.net Tue Jun 18 08:58:33 2013 From: snash at arbor.net (Nash, Steve) Date: Tue, 18 Jun 2013 06:58:33 +0000 Subject: [bcop] Some ideas Message-ID: <8889DC743021D34399AB2D4981985CFB2C3CAB19EE@MBX21.EXCHPROD.USA.NET> As a very early starting point, having scanned the ietf BCPs, I table the following. I believe we need to consider both what the requirements should be, and also what incentives there might be for compliance. I suggest the emphasis should be on satisfying the world at large that the Internet community encourages its members to behave responsibly. A secondary objective might be education for new operators. ========================================== RIPE Implementation Requirements 1. INHIBIT ADDRESS SPOOFING 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for: 1. Single host 2. Non-Transit subnet 3. Registered sub-network transit (tell ISP of additional address spaces) 4. Open Transit (restrict to BGP?) 5...... 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs 1.3 [Consider] TCP/UDP/SCTP.... port filtering Accept DNS replies (src port 53) only from customers requesting DNS support. Block dest port 53 toward non-hosting clients. 2. POLICIES FOR PEERING Register External Routing Policy in RIPE Db. Ask Peers to comply with this doc (? Inter-RIR ?) ? Apply route filtering At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking 3. DNS POLICIES ?rfc 2870 (BCP 40) ?rfc 2219 BCP 17 ?rfc 2182 BCP 16 4. POLICIES FOR EMAIL ?rfc 2505 (BCP 30) Steve Nash 17 June 2013 steve.nash at theiet.org ================================