[vyatta-nsp] BCP38 on Vyatta

Marc A. Runkel mrunkel at untangle.com
Mon Feb 17 16:19:19 EST 2014 

Well, it really depends on who you are and what you're trying to do.  If
you're a small network with only a single LAN attached, then that setting
can be useful.  In any other scenario, you don't want to use it at all.

Here's the "problem" with BCP 38, it doesn't protect you from anything, it
protects everyone else, from you and your users.  This is why it's not more
widely implemented.

If you want to prevent spoofing out of your network, just create a "out"
firewall rule on the external interfaces of your network and allow only
packets sourced from your IP ranges to exit.

Or, put input firewall rules on your internal interfaces (customer/user
facing) allowing only those IPs that should be there that enter.   This is
obviously better in that it protects other parts of your network from your
network, but is harder to maintain as you'll have firewall lists on each
interface.

I would also filter all inbound traffic and make sure that packets with
your source IPs aren't allowed into the network.

However, all of that doesn't protect you from someone spoofing your
addresses from remote networks and you getting flooded.

If you want to share a few more details about what kind of network you're
running I can probably give some more on-point advice.

m.




On Mon, Feb 17, 2014 at 2:53 AM, Jared Geiger <jared at compuwizz.net> wrote:

> So with all the latest NTP and DNS spoofing issues, is there a way to
> enable BCP38 or Unicast Reverse Path verification on Vyatta that won't kill
> throughput?
>
> I saw a tip to do this command on startup: echo 1 >
> /proc/sys/net/ipv4/conf/all/rp_filter
>
> Does anyone have any real world experience using this command?
>
> Thanks,
> Jared
>
> _______________________________________________
> vyatta-nsp mailing list
> vyatta-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/vyatta-nsp
>
>


-- 
Marc Runkel
VP, Technical Operations
Untangle, Inc.
(w) 408-598-4279
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/vyatta-nsp/attachments/20140217/8495dab7/attachment.html>

More information about the vyatta-nsp mailing list