My first Internet Draft has just been published

While I was discussing the intricacies of Cisco’s IPv6 implementation with Gunter Van de Velde a while ago, he suddenly changed hats and asked me whether I would be willing to contribute to a BGP filtering best practices draft. I’m still too young to realize it’s not a good idea to say YES every time you see something interesting and immediately accepted the challenge.

Gunter put together a fantastic team including Jerome Durand and Gert Doering and the first results of our work (where Jerome did most of the heavy lifting) have been published last night … I proudly present you the BGP operations and security draft. Comments, corrections and additions are most welcome!

2012-09-21: Changed the link to point to the latest draft.

20 comments:

  1. Congratulations :) What's the feeling? :) You met Gert yet? Is Gunter not a part of the co-authors team?
  2. Congratulations! :-)
  3. Congrats!

    A well deserved gift for your amazing technical background.
  4. In the section 4.1.1.1. IPv4

    o 172.0.0.0/8 and more specific - loopbacks
    should read
    127.0.0.0/8

    Regards,


    Shaun
  5. Section 4.1.1.1. third bullet says "172.0.0.0/8 and more specific - loopbacks" instead of "127. [...]".
  6. Congratulations
  7. Hi,

    Could you (/someone) post templates for Cisco / Juniper for all the mentioned filters in the RFC-draft?

    Would be great.
  8. Just a small idea. Would you think it wise, to have the document written only for IPv6, without referring to IPv4 practices as they must be covered in another document?
  9. First of all congratulations.
    In secion 4.1.1.1. RFC3330 is mentioned, which was published in 2002, but there is RFC 5735 published in 2010, with additional not routable prefixes.
  10. Hi Ivan,

    Quite interesting, and nice to put this in writing. The max /24 prefix length on IPv4 will probably not keep on being "best practice", when we get closer top IPv4 Exhaustion.

    Extending the scope, could be to describe some security "best practices", when using BGP Inter-AS option B and C, and maybe CSC.
  11. first sentence in the abstract has broken english:

    Abstract

    " This documents " should be "These documents" or "This document".
  12. One typo:

    Section 4.1.1.1. IPv4

    Substitute " 172.0.0.0/8 and more specific - loopbacks" with " 127.0.0.0/8 and more specific - loopbacks"
  13. Excellent, well done! :)
  14. Great work, Ivan!
    However, I slightly disagree with the filtering of Exchange points LAN prefixes. Blocking these prefixes in combination with unicast reverse path forwarding check might lead to dropping some valuable ICMP, like 3/4 (Frag.needed), and break the PMTU discovery. I agree that is not very likely to happen, but it could be an issue.
  15. You seem to be advocating bogon filtering for IPv6 in section 4.1.2.1. I have to disagree with the notion that it's somehow a "best practice". Bogon filters do not protect from any serious threat but cause lots and lots connectivity issues when a new prefix becomes allocated.

    It never worked right for IPv4, why would it work for IPv6?
  16. "This protocol does not directly include mechanisms that control that routes exchanged conform to the
    various rules defined by the Internet community."

    should be
    "This protocol does not directly include mechanisms that control the routes exchanged conform to the
    various rules defined by the Internet community."
  17. Welcome to the Dark Side Ivan ;-)
Add comment
Sidebar