My first Internet Draft has just been published

While I was discussing the intricacies of Cisco’s IPv6 implementation with Gunter Van de Velde a while ago, he suddenly changed hats and asked me whether I would be willing to contribute to a BGP filtering best practices draft. I’m still too young to realize it’s not a good idea to say YES every time you see something interesting and immediately accepted the challenge.

Gunter put together a fantastic team including Jerome Durand and Gert Doering and the first results of our work (where Jerome did most of the heavy lifting) have been published last night … I proudly present you the BGP operations and security draft. Comments, corrections and additions are most welcome!

2012-09-21: Changed the link to point to the latest draft.

20 comments:

  1. Congratulations :) What's the feeling? :) You met Gert yet? Is Gunter not a part of the co-authors team?

    ReplyDelete
  2. Congratulations! :-)

    ReplyDelete
  3. Calin Chiorean02 March, 2012 11:13

    Congrats!

    A well deserved gift for your amazing technical background.

    ReplyDelete
  4. Olivier Cahagne02 March, 2012 11:19

    Congratulations!

    ReplyDelete
  5. In the section 4.1.1.1. IPv4

    o 172.0.0.0/8 and more specific - loopbacks
    should read
    127.0.0.0/8

    Regards,


    Shaun

    ReplyDelete
  6. Section 4.1.1.1. third bullet says "172.0.0.0/8 and more specific - loopbacks" instead of "127. [...]".

    ReplyDelete
  7. Congratulations

    ReplyDelete
  8. Hi,

    Could you (/someone) post templates for Cisco / Juniper for all the mentioned filters in the RFC-draft?

    Would be great.

    ReplyDelete
  9. Just a small idea. Would you think it wise, to have the document written only for IPv6, without referring to IPv4 practices as they must be covered in another document?

    ReplyDelete
  10. First of all congratulations.
    In secion 4.1.1.1. RFC3330 is mentioned, which was published in 2002, but there is RFC 5735 published in 2010, with additional not routable prefixes.

    ReplyDelete
  11. Joachim Jerberg Jensen02 March, 2012 19:29

    Hi Ivan,

    Quite interesting, and nice to put this in writing. The max /24 prefix length on IPv4 will probably not keep on being "best practice", when we get closer top IPv4 Exhaustion.

    Extending the scope, could be to describe some security "best practices", when using BGP Inter-AS option B and C, and maybe CSC.

    ReplyDelete
  12. first sentence in the abstract has broken english:

    Abstract

    " This documents " should be "These documents" or "This document".

    ReplyDelete
  13. One typo:

    Section 4.1.1.1. IPv4

    Substitute " 172.0.0.0/8 and more specific - loopbacks" with " 127.0.0.0/8 and more specific - loopbacks"

    ReplyDelete
  14. Dmitri Kalintsev03 March, 2012 01:17

    Excellent, well done! :)

    ReplyDelete
  15. congrats....

    ReplyDelete
  16. Juan Tarrio Brocade03 March, 2012 23:41

    Congrats Ivan!

    ReplyDelete
  17. Great work, Ivan!
    However, I slightly disagree with the filtering of Exchange points LAN prefixes. Blocking these prefixes in combination with unicast reverse path forwarding check might lead to dropping some valuable ICMP, like 3/4 (Frag.needed), and break the PMTU discovery. I agree that is not very likely to happen, but it could be an issue.

    ReplyDelete
  18. Daniel Ginsburg07 March, 2012 18:50

    You seem to be advocating bogon filtering for IPv6 in section 4.1.2.1. I have to disagree with the notion that it's somehow a "best practice". Bogon filters do not protect from any serious threat but cause lots and lots connectivity issues when a new prefix becomes allocated.

    It never worked right for IPv4, why would it work for IPv6?

    ReplyDelete
  19. "This protocol does not directly include mechanisms that control that routes exchanged conform to the
    various rules defined by the Internet community."

    should be
    "This protocol does not directly include mechanisms that control the routes exchanged conform to the
    various rules defined by the Internet community."

    ReplyDelete
  20. Welcome to the Dark Side Ivan ;-)

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.