Additional Information
MANRS Implementation Guide
- Introduction
- Coordination
- Global Validation
- Anti-Spoofing
- Filtering
- Summary and checklists
- Additional information
6. Additional Information
- deny ipv6 prefixes on ipv4 bgp sessions
- can’t find any bogon route filtering in this document at the moment0/8, 10/8, 127/8, 172.16/12, 169.254/16, 192/24, 192.0.2/24, 192.168/16, 198.18/15,198.51.100/24, 203.0.113/24, 224/4, 240/4, I think 100.64/10 should be denied too.
- ::/128, ::1/128, ::FFFF:0:0/96, ::<ipv4-address>/96, 100::/64, fe80::/10, fc00::/7,2001:db8::/32, 2001:10::/28, ff00::/8 (on unicast sessions)
- BGP Security? (MD5, TCP AO)
- Backbone / infrastructure filtering, such as PTP, loopbacks, etc.
7. Historical Background Materials
This document is built on decades of work by network and security professional around the world who have developed, deployed, and communicated techniques which allow for a more robust Internet. The following materials is an attempt to capture all the work this document is built upon.
RFC2827 aka BCP38
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
http://www.ietf.org/rfc/rfc2827.txt
SSAC004
Securing the Edge http://www.icann.org/committees/security/sac004.txt
SSAC008
DNS Distributed Denial of Service (DDoS) Attacks http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
Spoofer Project https://spoofer.caida.org/
RFC3024 – Reverse Tunneling for Mobile IP, revised ftp://ftp.rfc-editor.org/in-notes/rfc3024.txt
ISOC Anti-Spoofing Page http://www.Internetsociety.org/deploy360/anti-spoofing/
“Network Hygiene Pays Off” – The Business Case for IP Source Address Verification – Joao Luis Silva Damas & Daniel Karrenberg, https://www.ripe.net/publications/docs/ripe-432
“RIPE Anti-Spoofing Task Force HOW-TO”, https://www.ripe.net/publications/docs/ripe-431
Comparative Evaluation of Spoofing Defenses – Ezra Kissel, University of Delaware and Jelena Mirkovic, USC/ISI
Understanding the Efficacy of Deployed Internet Source Address Validation Filtering – Robert Beverly MIT CSAIL, Arthur Berger MIT CSAIL, Young Hyun CAIDA, k claffy CAIDA
RFC 4948 – Report from the IAB workshop on Unwanted Traffic March 9-10, 2006
8. Acknowledgements
The main authors of this document are David Freedman, Brian Foust, Barry Greene, Ben Maddison, Andrei Robachevsky, Job Snijders and Sander Steffann. We also thank Will van Gulik, Jakob Heitz and Aris Lambrianidis, Kevin Meynell and Massimiliano Stucchi for their review and contributions to this document.