BCP here and there

hobbit · September 4, 2008, 11:08pm

In my mind, a suite of practices to keep one's garbage contained and
not all over the neighbor's lawn is a good thing and covers many
bases. RPF/BCP38 seems to be the IP level equivalent of blocking
ingress SMTP and forcing delivery through outbound-only servers that
check the claimed envelope and/or header senders for sanity relative
to the authorized sending networks. If so many people are agreeing
on BCP38, what's with the resistance about email, clearly an
equally polluted swamp? Why would one not want to view the two
issues as much the same problem, at different layers?

And yes, I was assuming split-brained mail infrastructure to make
port-25 filtering much simpler. To counter someone's counterargument,
it could boil down to two ACL lines in *many* places, but clearly
not all. Said two lines can come right before the one that says
"permit ip my-source-only any", couldn't they??

Not in a blanket sense, of course -- these things done *where
appropriate* and tuned to known requirements could vastly improve
matters, but it seems that even after all these years so many of
the appropriate places haven't even been touched let alone fixed.

_H*

Joe_Blanchard2 · September 5, 2008, 3:39am

Well at the risk of getting flammed here.. lol

I don't believe there is a real clear answer here to this BCP38 debate.
Great suggestions, great comments, and great what ifs.

From the old days, I always recalled ACLing non-existant scopes within my

nets, again not that that is the
answer, but it was a recommended practice, and when we saw non-existant
spaces trying to leave one of our feeds it was quickly handled internally
(i.e. killed the downstream link). As well we always had to do an internal
audit of why/who/where the event took place and a remedy to it (HIPAA & SOX
compliance stuff)

While this thread is informative at times, I think the name calling and
insults really serve no purpose to it.
I recall a funny saying regarding this, opinions are like a......s, everyone
has one and everyone else thinks it stinks. Doesn't mean anyones right.
Agree to dis-agree and lets be on with it.
Deja-vu, Wasn't there a thread about this same subject a while ago something
regarding RFC2827? Might just be me.

Just my 2¢s
Regards,

-Joe Blanchard

"I am Joe Blanchard and I approve this message.... lol"