The document is a presentation from a webinar hosted by GLC Networks on the best current practice (BCP 38) for ingress filtering aimed at enhancing network security. It includes foundational knowledge about networking, protocols, and various routing techniques, alongside practical recommendations for mitigating network attacks like IP spoofing and DDoS. The presentation emphasizes the importance of employing strict mode for reverse-path filtering and highlights the role of GLC Networks as an IT training and consulting entity in Indonesia.

1. www.glcnetworks.com
Best Current
Practice (BCP) 38:
Ingress Filtering for
Security
GLC Webinar,
17 Mar 2022
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia

2. www.glcnetworks.com
Agenda
● Introduction
● Review prerequisite knowledge
● Network attack
● BCP 38
● Live practice
● Q & A
2

3. www.glcnetworks.com
Introduction
3

4. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● Based in Bandung, Indonesia
● Areas: Training, IT Consulting
● Certified partner for: Mikrotik, Ubiquity, Linux foundation
● Product: GLC radius manager
● Regular event
4

5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999, mikrotik user since 2007, UBNT
2011
● Mikrotik Certified Trainer
(MTCNA/RE/WE/UME/INE/TCE/IPv6)
● Mikrotik/Linux Certified Consultant
● Website contributor: achmadjournal.com, mikrotik.tips,
asysadmin.tips
● More info: http://au.linkedin.com/in/achmadmardiansyah
5

6. www.glcnetworks.com
Past experience
● 2020-2022 (Congo DRC, PNG, Malaysia): network support,
radius/billing integration
● 2019, Congo (DRC): build a wireless ISP from ground-up
● 2018, Malaysia: network revamp, develop billing solution and
integration, setup dynamic routing
● 2017, Libya (north africa): remote wireless migration for a new
Wireless ISP
● 2016, United Kingdom: workshop for wireless ISP, migrating a
bridged to routed network
● 2015, Kalimantan, wireless support
● See our website for more details
6

7. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title: tahun baru
bersama solaris - new year with solaris OS)
● As a sharing event with various topics: linux,
networking, wireless, database, programming,
etc
● Regular schedule
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/schedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge, experiences,
information
7

8. www.glcnetworks.com
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
8

9. www.glcnetworks.com
Prerequisite
● This presentation requires some prerequisite knowledge
● We assume you already know:
○ Computer network
○ Mikrotik RouterOS
9

10. www.glcnetworks.com
Review prerequisite knowledge
10

11. www.glcnetworks.com
7 OSI layer & protocol
● OSI layer Is a conceptual model from ISO (International
Standard Organization) for project OSI (Open System
Interconnection)
● When you send a message with a courier, you need to
add more info to get your message arrived at the
destination (This process is called encapsulation)
● What is protocol
○ Is a set of rules for communication
○ Available on each layer
● Communication consist of series encapsulation
○ SDU: service data unit (before PDU)
○ PDU: protocol data unit (after header is added)
11

12. www.glcnetworks.com
Layered model (TCP/IP vs ISO) and encapsulation
12
/ datagram

13. www.glcnetworks.com
Layer 4 header
13

14. www.glcnetworks.com
Layer 3 header
14

15. www.glcnetworks.com
Layer 2 header, ethernet
15

16. www.glcnetworks.com
Layer 2 header, 802.11
16

17. www.glcnetworks.com
Did you notice?
● There is a big overhead on encapsulation process
● More encapsulation means less payload?
17

18. www.glcnetworks.com
Layer 2 vs Layer 3 addressing
18
Layer 2 Layer 3
● Burned-in address
● Adjacent communication
● Consist of 48 bit binary,
written in HEX format. 1 HEX
= 4 bit
● Unique for every physical port
● 6 first HEX digit -> represent
the manufacturer
● Logical address
● End-to-end communication
● IPv4 32 bit long
● 2 versions: IPv4 (our focus)
and IPv6
● Consist of network part & host
part
● Can be class based IP
address (without subnet)
● Now it is classless IP address
-> VLSM (variable length
subnet mask)
● CIDR (classless inter domain
routing)

19. www.glcnetworks.com
IP spec (RFC 791)
● Defined long time ago (what 1981?)
● Defines how the IP header looks like
● Still used up to know
● New version -> IPv6
19

20. www.glcnetworks.com
How the layer 3 address look like?
● IPv4 address is 32 bit long
● Written in binary -> always think in binary
● Displayed to human in decimal every 8 bit (octet).
● Has 2 parts: network part and host part
● Like a phone number 0812 XXXXXXXX -> hierarchical
● All devices in the network will have same network part
● First and last address cannot be used (for network id and broadcast id)
20
Network part host part

21. www.glcnetworks.com
Variable-Length Subnet Masking (VLSM)
● Variable-Length Subnet Masking (VLSM)
● Can divide an IP address block into subnets of
different sizes using / (slash) notation
● Solution the in efficient of classful IP address
(fixed length). No more class A, B, C
● RFC: 1878 (1895)
● Basis for CIDR
● Example: 23.45.0.0/17
○ 23.45.0.0/25
○ 23.45.0.128/25
21

22. www.glcnetworks.com
Classless Inter-Domain Routing (CIDR)
● Provides a new and more flexible way to
specify network addresses in routers (using
slash as notation)
● allow flexible allocation of Internet Protocol
(IP) addresses.
● CIDR lets a routing table entry represent an
aggregation of networks that exist in the
forward path
● Each IP address has a network prefix that
identifies their network
● RFC: 1519
22

23. www.glcnetworks.com
Router vs Routing
● Router is a network device that is used to forward
packets, based on layer 3 information (layer 3 header)
● Routing is the process of selecting a path for traffic in a
network, or between or across multiple networks
23
Physical
router
Router
icon

24. www.glcnetworks.com
Network design: physical connection (physical topology)
● Router connects layer 2 segments
● Router works on layer 3
● Meaning, each layer 2 segment has network ID
24
R1
R2
R3
R4
ISP2
ISP1
internet

25. www.glcnetworks.com
Network design: logical connection (logical topology)
25
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 (default gw) 192.168.0.3
Routing table:
● A table at router that is used to forward packet
● Available on every devices (router and host)
● Entry is executed sequentially

26. www.glcnetworks.com
Forwarding packets using routing table
● It works like a firewall: match and action
● When a packet arrived, routing table is used to forward packets
● You should think in binary to understand how it works
26
destination gateway
192.168.16.3/32
11000000 10101000 00001000 00000011
192.168.0.2
192.168.0.0/26
11000000 10101000 00000000 00
direct
192.168.1.0/24
11000000 10101000 00000001
direct
192.168.2.0/24
11000000 10101000 00000010
192.168.0.2
192.168.3.0/24
11000000 10101000 00000011
192.168.0.3
0.0.0.0/0
(no match)
192.168.0.3

27. www.glcnetworks.com
A packet arrived at R1… (example)
Destination IP address of the packet is 192.168.2.6, which gateway do we use?
A: 192.168.2.6 = (11000000 10101000 00000010 00000110
27
destination gateway
192.168.16.3/32
11000000 10101000 00001000 00000011
192.168.0.2
192.168.0.0/26
11000000 10101000 00000000 00
direct
192.168.1.0/24
11000000 10101000 00000001
direct
192.168.2.0/24
11000000 10101000 00000010
192.168.0.2
192.168.3.0/24
11000000 10101000 00000011
192.168.0.3
0.0.0.0/0
(no match)
192.168.0.3

28. www.glcnetworks.com
Where routing table lookup happens?
28

29. www.glcnetworks.com
Administrative distance (analogy)
29
CITY 1 100 km
CITY 2 120 km
CITY 2 90 km
CITY 3 500 km
CITY 4 250 km
10.10.10.0/24 192.168.0.1 10
10.10.20.0/24 192.168.0.2 12
10.10.20.0/24 192.168.0.3 9
10.10.30.0/24 192.168.0.3 50
10.10.40.0/24 192.168.0.4 25

30. www.glcnetworks.com
Administrative distance
● Distance is considered when prefix length is
same
● Lowest distance wins
● Administrative distance policy is depends on
vendor
● Table on the right shows an example of
administrative distance on cisco router
30

31. www.glcnetworks.com
Static routing
31
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 (default gw) 192.168.0.3
● Entries on routing table is created manually
● Admin must manage routing table in all routers
● Admin have full control on routing table

32. www.glcnetworks.com
Dynamic routing
32
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 (default gw) 192.168.0.3
● Router will talk to each other with routing protocol (RIP,
OSPF, BGP)
● Entries on routing table is created automatically
● Admin must have a good knowledge about routing protocol

33. www.glcnetworks.com
Autonomous system (AS)
● Is a collection of routers and networks under one administration and apply single routing policy
● AS is identified by a number (Autonomous System Number - ASN), given by RIR (Regional Internet
Registry: APNIC, ARIN, RIPE, etc)
33
AS1
AS4
AS3
AS2

34. www.glcnetworks.com
Addressing, IANA, RIR
● Internet is based on IP (internet protocol)
addressing scheme -> RFC791
● Addressing has to be unique
● IANA (Internet Assigned Number Authority)
regulates IP address allocation
● IANA delegates (some of its authority) to RIR
(Regional Internet Registry)
● RIR delegates to country’s
● Every organisation must have IP address block
to join the internet and build a routing scheme
among their equipment
34

35. www.glcnetworks.com
Asymmetric routing
● Currently, routing is done one-way only (outbound)
● Forwarding process on router is based on
destination IP address
● There is no guarantee incoming path is similar to
outgoing path
● We can only control outbound traffic
35
R1
192.168.0.1/26
192.168.0.3/26 R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24

36. www.glcnetworks.com
Private IP, public IP and NAT
36
Public IP Private IP (RFC1918)
● Public IP is used globally (internet)
● Must be unique
● Usually borrowed from ISP (via ADSL, GPON,
GSM, 4G, etc)
● Private IP is used privately (internal organisation)
● Duplicated in many organisations

37. www.glcnetworks.com
Network attack
37

38. www.glcnetworks.com
38

39. www.glcnetworks.com
BCP 38
39

40. www.glcnetworks.com
Best Current Practice (BCP)?
● IETF creates RFC (request for
comments), it contains rules of how
communication works
● BCP is A collection of RFC for best
current practices with various topics
40

41. www.glcnetworks.com
BCP 38
● Implemented in RFC 2827 and RFC 3704 (for ISP)
●
41

42. www.glcnetworks.com
BCP 38 on Mikrotik
42

43. www.glcnetworks.com
Reverse-path filtering (RFC3704)
● Disables/enables source validation.
○ no - No source validation.
○ strict - applies Strict Reverse Path. Each incoming packet is tested against the
FIB and if the interface is not the best reverse path the packet check will fail. By
default failed packets are discarded.
○ loose - applies Loose Reverse Path. Each incoming packet's source address is
also tested against the FIB and if the source address is not reachable via any
interface the packet check will fail.
● Recommendation: use strict mode to prevent IP spoofing from
DDoS attacks.
● For asymmetric routing, complex routing, and vrrp case loose
mode is recommended.
43
R1
12.1.1.0/24 .1
.10
internet
dst: y.y.y.y
src: 12.1.1.99
dst: 12.1.1.10
src: x.x.x.x
dst: x.x.x.x
src: 12.1.1.10
.99

44. www.glcnetworks.com
TCP syncookies
● Send out syncookies when the syn backlog queue of a
socket overflows.
● This is to prevent against the common 'SYN flood attack'.
44

45. www.glcnetworks.com
Live practice
● SSH client
● SSH parameters
○ SSH address
○ SSH port
○ SSH username
○ SSH password
45

46. www.glcnetworks.com
QnA
Any questions?
46

47. www.glcnetworks.com
Interested? Just come to our training...
● Topics are arranged in systematic and
logical way
● You will learn from experienced teacher
● Not only learn the materials, but also
sharing experiences, best-practices, and
networking
47

48. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Find our further event on our website :
https://www.glcnetworks.com
● Like our facebook page:
https://www.facebook.com/glcnetworks
● Slide: https://www.slideshare.net/glcnetworks/
● Discord (bahasa indonesia):
(https://discord.gg/6MZ3KUHHBX )
● Recording (youtube):
https://www.youtube.com/c/GLCNetworks
● Stay tune with our schedule
48