On Sat, Apr 5, 2025 at 8:07 AM T. Fırıncı via NANOG <nanog@lists.nanog.org> wrote:
I thought that bcp38 could be a solution, but some people said that this solution would create a problem in multihome networks.
Hi Taygun, BCP 38 works great on multihomed networks. Where it doesn't work is: 1) Large core peering scenarios where an ISP trades routes with another ISP and has to take that ISP's word for it that the offered routes are valid. 2) The customer side of Internet Transit service where the customer has to take the ISP's word for it that the presented routes are legitimate. What _does not_ work in multihomed networks is Reverse Path Filtering. You have to explicitly filter the routes and source IP addresses your customer has authenticated to you. You can't rely on their route advertisement to tell you what packets are legitimate because BGP routing tends to be asymmetric: packets in one direction often follow a different path than packets in the other. Strict RPF breaks multihoming and loose RPF falls far far short of meeting BCP 38's filtering requirement.
What is the exact optimum solution?
Depends on your source of authority. If you're constructing a government mandate then you require anyone selling Internet service in Turkey to implement BCP 38 on every paid Internet connection. That means egress filtering everywhere they buy transit or peering service inside or outside of Turkey and ingress filtering everywhere they sell Internet service inside and outside of Turkey. And you set large and escalating fines for every incident where the ISP is found to be in non-compliance. Then you sit back and let capitalism do what it does best: optimize for cost. If you're talking about voluntary industry action... give up. The BGPSEC effort fell apart and the people who care about BCP 38 already implement it. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/