BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

[hugo at slabnet.com (Hugo Slabbert)]

On Sun 2016-Sep-25 15:59:15 -0700, Stephen Satchell <list at satchell.net> wrote:

>On 09/25/2016 07:32 AM, Jay R. Ashworth wrote:
>>>From: "Jay Farrell via NANOG" <nanog at nanog.org>
>>>> And of course Brian Krebs has a thing or two to say, not the least is which
>>>> to push for BCP38 (good luck with that, right?).
>>>>
>>>> https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
>>Well, given how few contributions we've gotten at bcp38.info in the last,
>>what, 4 years, yeah, I guess so...
>>
>
>Yeah, right.  I looked at BCP38.info, and there is very little 
>concrete information.  I've been slogging through the two RFCs, 2827 
>and 3794, and find it tough sledding to extract the nuggets to put 
>into my firewall and routing table.  One of the more interesting new 
>additions to my systems is this, to the routing tables:
>
### snip ###
>
>In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY 
>filtering system -- BSD, Linux, Cisco.

I am guilty of not yet contributing cookbook-type info to BCP38.info, but:

Cisco:
http://www.bcp38.info/index.php/HOWTO:Cisco points at 
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

Juniper:
https://www.juniper.net/documentation/en_US/junos14.2/topics/usage-guidelines/interfaces-configuring-unicast-rpf.html
http://www.juniper.net/documentation/en_US/junos15.1/topics/topic-map/unicast-rpf.html

Linux: