On 6/2/21 12:39 AM, William Herrin wrote:
I think you may be misunderstanding BCP 38. BCP 38 is about limiting
-source- addresses. What you've described is bogon filtering on
destination IP addresses. As far as I know, there's no BCP on bogon
filtering although BCP 84 offers some relevant advice.
I agree.
However I will add that it's trivial to extend the destination based
filtering to be sourced based filtering by enabling reverse path filtering.
Adding the bogons as destinations to a routing table (that is processed)
is compatible with reverse path filtering. Putting the bogons in
IPTables / NFTables is incompatible with reverse path filtering.
Stephen: I've not done this with NetPlan but I do this on Linux and
have found it to be extremely effective when combined with reverse path
filtering. I have an EBGP feed from Team Cymru and augment it
(additional routing tables) with (e-)DROP and federated Fail-2-Ban. I
like it!
--
Grant. . . .
unix || die
