This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/bcop@ripe.net/
[bcop] Some ideas
- Next message (by thread): [bcop] First email to BCOP discussion list...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jan Zorz - ISOC
zorz at isoc.org
Fri Jul 5 07:16:57 CEST 2013
On 6/18/13 8:58 AM, Nash, Steve wrote: > As a very early starting point, having scanned the ietf BCPs, I table the following. Hi, Thnx for this ideas (and sorry for late reply, vacations tie in Europe ;) ) > I believe we need to consider both what the requirements should be, > and also what incentives there might be for compliance. Good point. > I suggest the emphasis should be on satisfying the world at large > that the Internet community encourages its members to behave responsibly. responsibility in behavior is crucial point. > A secondary objective might be education for new operators. ...and this would make life of many other "old" operators quite easier, would it? > > ========================================== > RIPE Implementation Requirements > > 1. INHIBIT ADDRESS SPOOFING > > 1.1 BCP 38 (rfc 2827) with BCP 84 (rfc 3704) Ingress Filtering Implemented at every access router and switch as appropriate for: > 1. Single host > 2. Non-Transit subnet > 3. Registered sub-network transit (tell ISP of additional address spaces) > 4. Open Transit (restrict to BGP?) > 5...... I think something like this is already on the table and a group forming around that (Dave Freedman, Merike Kaeo, ...) after the antispoofing roundtable at RIPE66 in Dublin. > > 1.2 Install RIPE supplied anti-spoofing probe at 10% of access PoPs This is going to be a long discussion... Technically it's doable, but the community needs to say "we wand spoofing on the probes". > > 1.3 [Consider] TCP/UDP/SCTP.... port filtering > > Accept DNS replies (src port 53) only from customers requesting DNS > support. Block dest port 53 toward non-hosting clients. This should be a separate document, describing just the DNS best practices - how to setup DNS server as an ISP and how to secure it. > > > > 2. POLICIES FOR PEERING > > Register External Routing Policy in RIPE Db. Ask Peers to comply > with this doc (? Inter-RIR ?) ? Apply route filtering Wondering how many networks uses RPSL for creating filters... > > At IX ask Peers to maintain AS-MAC mapping, in order to facilitate back-tracking > > > 3. DNS POLICIES > ?rfc 2870 (BCP 40) > ?rfc 2219 BCP 17 > ?rfc 2182 BCP 16 > > > 4. POLICIES FOR EMAIL > ?rfc 2505 (BCP 30) Email server BCOP should be a separate document and I believe we have quite an extensive knowledge and experience on this topic in this group, do we? :) Cheers, Jan
- Next message (by thread): [bcop] First email to BCOP discussion list...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ BCOP Archives ]