On Mon, Nov 7, 2022 at 8:47 AM Charles Rumford via NANOG <nanog@nanog.org> wrote: > I'm are currently working on getting BCP38 filtering in place for our BGP > customers. My current plan is to use the Juniper uRPF feature to filter out > spoofed traffic based on the routing table. The mentality would be: "If you > don't send us the prefix, then we don't accept the traffic". This has raised > some issues amongst our network engineers regarding multi-homed customers.
As it should. This plan will break asymmetric routing which is an ordinary part of multihoming. Moreover, it would not actually accomplish BCP 38 since the customer would be able to falsify route announcements. So, basically a complete fail. For a small BGP customer who has no downstreams of his own, implement static filters based on the address ranges you have personally authenticated as belonging to the customer. PERSONALLY AUTHENTICATED. This means a manual process. The customer will have to administratively inform you when those address ranges change. For large BGP customers who service many BGP downstreams, the bottom line is that BCP 38 cannot be reasonably implemented. It's one of the weaknesses in the system. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
