[bcop] anti-spoofing document

Hi Mikael,

On 11/11/14 21:05, Mikael Abrahamsson wrote:
> I keep running into people who have never heard of the excellent
> document that Torbjörn Eklöv has created over time. It came out of work
> to create requirements and certification for access networks, one large
> reason was to assure a secure end user connection that didn't have MITM
> and spoofing problems.
> 
> The main site is here:
> 
> http://secureenduserconnection.se/
> 
> Direct link to the current version of the document:
> 
> http://secureenduserconnection.se/wp-content/uploads/2012/02/SEC-Secure-End-user-Connection-2014-05-30.pdf
> 
> 
> I recommend everybody looking for information and requirements on how to
> create a secure network to read this document. It's very comprehensive.

Thank you for this reference to this comprehensive work.  By its
completeness, the document could be a basis for a number of BCOPs.

For the IPv4 and IPv6 address spoofing, the documents suggests using a
access filtering based on IPv4/6 address whitelist table on customer
ports.  For IPv6 it gives examples to build such a whitelist table, but
I see in the edit history, they removed such examples for IPv4.  I will
check if the examples are still in previous versions of the document.

Good topic for ongoing discussions now we start thinking of TCP FastOpen
(https://tools.ietf.org/html/draft-ietf-tcpm-fastopen) and UDP gained
new interest as an alternative to surf the web
(https://ripe69.ripe.net/wp-content/uploads/presentations/166-quic.v0.1.pdf).

Cheers,

-- Benno


-- 
Benno J. Overeinder
NLnet Labs
http://www.nlnetlabs.nl/