LLMpediaThe first transparent, open encyclopedia generated by LLMs

BCP 38

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: MANRS Hop 4
Expansion Funnel Raw 67 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted67
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
BCP 38
TitleBCP 38
StatusBest Current Practice
Published2000
AuthorsPaul Ferguson, Craig Martell
RelatesRFC 2827, RFC 3704
CategoryNetwork security

BCP 38 BCP 38 is an Internet engineering Best Current Practice addressing network ingress filtering to prevent IP source address spoofing. It prescribes operational measures for Internet Service Providers, network operators, and Internet Engineering Task Force workgroups to improve routing integrity and mitigate abuses such as distributed denial-of-service attacks, IP spoofing, and traffic amplification used by actors associated with incidents like the Mafiaboy attacks and large-scale NTP amplification events.

Background and Purpose

BCP 38 was developed within the Internet Engineering Task Force framework to guide Regional Internet Registrys, Internet Assigned Numbers Authority, and commercial providers on filtering packets with illegitimate source addresses. Its purpose ties to historic abuses that exploited flaws in packet sourcing observed during events involving entities such as CERT Coordination Center, US-CERT, and investigative reports by Computer Emergency Response Team teams. The practice aligns with objectives championed by operational forums like the North American Network Operators Group and policy discussions at the Internet Architecture Board and resonates with mitigation strategies promoted by agencies including the Federal Communications Commission and the European Network and Information Security Agency.

Specification and Recommendations

BCP 38 builds on technical specification work captured in contemporaneous documents authored under the auspices of the Internet Engineering Task Force and its Routing Area and Operations and Management Area groups. It recommends that access networks enforce unicast ingress filtering to block packets whose source addresses are not reachable via the interface on which they arrive, with deployment models reflected in routing practices used by Border Gateway Protocol speakers and Access Control List implementations from vendors like Cisco Systems, Juniper Networks, and Arista Networks. The document encourages cooperation between entities such as Tier 1 ISPs, Tier 2 ISPs, and enterprise operators coordinated through communities including the Russian Computer Emergency Response Team and regional forums like APRICOT and RIPE NCC events.

Deployment and Implementation

Operational deployment involves configuration of filtering on customer-facing links, often using router features provided by vendors such as Cisco IOS, Juniper Junos, and Brocade Communications Systems platforms, and is coordinated through peering relationships at Internet Exchange Points operated by organizations like LINX, DE-CIX, and AMS-IX. Implementation paths include manual Access Control List creation, automated solutions from projects like MANRS and coordination with registries such as ARIN, RIPE NCC, APNIC for address provenance, and collaborative incident response linking to teams such as FIRST and national CERTs. Operational guidance also references best practices discussed at conferences like IETF Meeting, Black Hat, and DEF CON where practitioners and vendors exchange implementation experience.

Effectiveness and Impact

When widely deployed by Internet Service Providers and enterprise operators, the filtering model reduces the feasibility of spoofed-source amplification attacks that leverage services implicated in past incidents such as DNS amplification and SNMP amplification vectors. Measured declines in attack volumetrics have been reported in situational analyses by bodies like ENISA, NTIA, and academic studies from institutions such as MIT CSAIL and UC Berkeley’s networking groups. Community initiatives including MANRS and monitoring projects by Team Cymru and Shadowserver Foundation correlate adoption with reductions in usable spoofed address space and fewer successful hijacks observed by regional Internet registries and large content providers like Google, Facebook, and Cloudflare.

Challenges and Limitations

Practical limitations include legacy infrastructure in networks operated by entities such as small regional providers, contention over implementation cost for equipment from vendors like Huawei Technologies and ZTE Corporation, and policy hurdles involving cross-border coordination among stakeholders such as national regulators and multinational carriers. Operational constraints arise when asymmetric routing or complex multi-homed architectures used by enterprises and content networks like Netflix and Akamai make strict filtering difficult without sophisticated route and customer topology knowledge. Additionally, measurement and attribution complications persist, as exemplified in analyses by Symantec, Kaspersky Lab, and academic teams, complicating incentives for universal adoption.

BCP 38 complements and follows earlier and subsequent documents such as RFCs produced by the Internet Engineering Task Force including RFC 2827 and RFC 3704 and relates to initiatives like MANRS and efforts by the Internet Society to improve routing security. Its lineage intersects with routing security standards including Resource Public Key Infrastructure and the development work promoted at gatherings of IETF Routing Area and organizational stewardship by groups such as IAB and IANA. Historical context ties BCP 38 to operational responses after high-profile incidents investigated by entities like CERT Coordination Center and policy dialogues in venues such as Gartner summits and workshops hosted by US-CERT and European bodies.

Category:Internet standards