Raoul Bhatia [IPAX] wrote:
hello steve,
Steve Bertrand wrote:
I've done much research on RPSL, BCP 38, and other basic filter methods (and from a systems standpoint, I always follow an allow,allow,default-deny approach) , and I am willing to follow all standards and recommended practises to ensure compliance with current Internet standards.
did you receive off-list replies? do you mind replying with a summary of your findings to the list? i would also be interested in this subject thou i will not be able to work on this during the next couple of months.
Yes, I did receive a few very kind off-list replies. The feedback was based mainly on the fact that I have a small number of address blocks, and few connections to the Internet. In summary: - implement BCP 38 by using ACLs on outward facing interfaces by permitting anything within my (or my client's) address space as source, and log/deny the rest (which is my personal standard per my OP) - on all client-connected interfaces, ensure that the prefix(es) you supply them with is found in the source address for packets inbound, and deny the rest - for smaller *SPs, ACLs is the way to go, as with only a few prefixes and a limited number of connections to the Internet, manual management of filters is easily maintained. Inbound ACLs can be put in place when a new client is provisioned, and for a small shop without the need or the resources, strategies such as uRPF are not advised - pay attention to uRPF ("and the like"), as manual ACL management is not scalable. It pays to keep up with what the "big boys" are doing. Having knowledge of scalable methods, while utilizing a basic approach will allow for an easier transition in the event of quick growth/acquisition/new job. - ensure you only advertise your own block(s) via BGP. allow-allow-deny approach - regarding BGP, scrutinize, but deny-by-default anything longer than /24. (With IPv6, I don't know of any standard, so I filter above /48 and I have 1579 and 1422 routes with two peers) The above is a summary of feedback from others. I have a few that I already do personally, but remember that I don't even advertise my v4 space myself yet: - peer with Cymru, and null route BOGONs - implement a pull-up route - on all interfaces, 'get rid of' inbound traffic with a source within BOGON - inform clients of their broken VPN connections, when you see private IP space being sent via their assigned default gateway (which of course is just an alert, because it has already been null0'd) - always develop the closest-match allow filters you can, and implement with an explicit deny. If anything, for visual purposes - never be afraid to ask for help - be confident, but always assume someone knows more than you do - and most important (IMHO), always acknowledge and be able to admit when you have made a mistake. Hopefully this summary is ok. Thanks to all those who did reply off-list. Steve