Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

Implementing BCP38

Fri, 29 Mar 2013 22:41:00 -0500 » Security, ISP, System Administration

Unless your network admin has had his/her head in sand hill for the past few years, filtering spoofed traffic from leaving one’s own network is something that should be of concern. Luckily back in 2000 some NANOG members wrote up a spec, RFC2827 which was adopted as BCP38.

So what exactly is BCP38? BCP38 is: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. In short, ensuring your customers do not send traffic from IP addresses which they are not entitled to receive return traffic for. A pretty simple concept. Amazingly, many/most ISPs do not prevent the sourcing of traffic from just any old bogus address.

A simple sample:

interface vlan99
 ip address 192.0.2.1 255.255.255.0
 ip access-group vl99_out in
 ip helper-address x.x.x.x

ip access-list extended vl99_out
 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 127.0.0.0 0.255.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.0.2.0 0.0.0.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 198.18.0.0 0.1.255.255 log
 deny   ip any 198.51.100.0 0.0.0.255 log
 deny   ip any 203.0.113.0 0.0.0.255 log
 deny   ip any 240.0.0.0 15.255.255.255 log
 permit ip 192.0.2.0 0.0.0.255 any
 deny   ip any any log

So what does this example do? In the Vlan interface you see that the local address range is 192.0.2.0/24 and there is a DHCP helper running remotely. This ACL restricts traffic from entering the interface unless it is to a valid destination, from a valid local source, or a DHCP broadcast. It explicitly denies traffic to any ranges which should not be receiving traffic, preventing any junk which will not find a destination from even entering your network. Any packets denied are logged, to aid in troubleshooting dropped packet issues.

© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.