BGP Best Practices for ISPs(RFC 2827/BCP 38)

…(略)

RFC 2827/BCP 38

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

"Thou shalt only sendth and receiveth IP packets you have rights for"

Packets should be sourced from valid, allocated address space, consistent with the topology and space allocation

Guidelines for BCP38

Networks connecting to the Internet
=>Must use inbound and outbound packet filters to protect network

Configuration example:
=>Outbound—only allow my network source addresses out
=>Inbound—only allow specific ports to specific destinations in

Techniques for BCP 38 Filtering
.Static ACLs on the edge of the network
.Dynamic ACLs with AAA profiles
.Unicast RPF strict mode
.IP source guard
.Cable source verify (DHCP)

Using ACLs to Enforce BCP38

Static ACLs are the traditional method of
ensuring that source addresses are not
spoofed:

.Permit all traffic whose source address equals the allocation block
.Deny any other packet

Principles:
.Filter as close to the edge as possible
.Filter as precisely as possible
.Filter both source and destination where possible

Comments

Popular posts from this blog

L2TPv3 Enables Layer 2 Services for IP Networks

TCP/IP 明確擁塞通知 (ECN)

Q-in-Q(Dot1Q Tunnel) Sample Configuration