As a very early starting point, having scanned the ietf BCPs, I table the following. I believe we need to consider both what the requirements should be, and also what incentives there might be for compliance. I suggest the emphasis should be on satisfying the world at large that the Internet community encourages its members to behave responsibly. A secondary objective might be education for new operators. ========================================== RIPE Implementation Requirements 1. INHIBIT ADDRESS SPOOFING 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for: 1. Single host 2. Non-Transit subnet 3. Registered sub-network transit (tell ISP of additional address spaces) 4. Open Transit (restrict to BGP?) 5...... 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs 1.3 [Consider] TCP/UDP/SCTP.... port filtering Accept DNS replies (src port 53) only from customers requesting DNS support. Block dest port 53 toward non-hosting clients. 2. POLICIES FOR PEERING Register External Routing Policy in RIPE Db. Ask Peers to comply with this doc (? Inter-RIR ?) ? Apply route filtering At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking 3. DNS POLICIES ?rfc 2870 (BCP 40) ?rfc 2219 BCP 17 ?rfc 2182 BCP 16 4. POLICIES FOR EMAIL ?rfc 2505 (BCP 30) Steve Nash 17 June 2013 steve.nash@theiet.org ================================
On 6/18/13 8:58 AM, Nash, Steve wrote:
As a very early starting point, having scanned the ietf BCPs, I table the following.
Hi, Thnx for this ideas (and sorry for late reply, vacations tie in Europe ;) )
I believe we need to consider both what the requirements should be, and also what incentives there might be for compliance.
Good point.
I suggest the emphasis should be on satisfying the world at large that the Internet community encourages its members to behave responsibly.
responsibility in behavior is crucial point.
A secondary objective might be education for new operators.
...and this would make life of many other "old" operators quite easier, would it?
========================================== RIPE Implementation Requirements
1. INHIBIT ADDRESS SPOOFING
1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for: 1. Single host 2. Non-Transit subnet 3. Registered sub-network transit (tell ISP of additional address spaces) 4. Open Transit (restrict to BGP?) 5......
I think something like this is already on the table and a group forming around that (Dave Freedman, Merike Kaeo, ...) after the antispoofing roundtable at RIPE66 in Dublin.
1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs
This is going to be a long discussion... Technically it's doable, but the community needs to say "we wand spoofing on the probes".
1.3 [Consider] TCP/UDP/SCTP.... port filtering
Accept DNS replies (src port 53) only from customers requesting DNS support. Block dest port 53 toward non-hosting clients.
This should be a separate document, describing just the DNS best practices - how to setup DNS server as an ISP and how to secure it.
2. POLICIES FOR PEERING
Register External Routing Policy in RIPE Db. Ask Peers to comply with this doc (? Inter-RIR ?) ? Apply route filtering
Wondering how many networks uses RPSL for creating filters...
At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking
3. DNS POLICIES ?rfc 2870 (BCP 40) ?rfc 2219 BCP 17 ?rfc 2182 BCP 16
4. POLICIES FOR EMAIL ?rfc 2505 (BCP 30)
Email server BCOP should be a separate document and I believe we have quite an extensive knowledge and experience on this topic in this group, do we? :) Cheers, Jan
participants (2)
-
Jan Zorz - ISOC -
Nash, Steve