Webinar topic: Best Current Practice (BCP) 38 Ingress Filtering for Security
Presenter: Achmad Mardiansyah
In this webinar series, we discussed about IBest Current Practice (BCP) 38 Ingress Filtering for Security
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording available on Youtube
https://youtu.be/0YQRQ046Lg8
4. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● Based in Bandung, Indonesia
● Areas: Training, IT Consulting
● Certified partner for: Mikrotik, Ubiquity, Linux foundation
● Product: GLC radius manager
● Regular event
4
5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999, mikrotik user since 2007, UBNT
2011
● Mikrotik Certified Trainer
(MTCNA/RE/WE/UME/INE/TCE/IPv6)
● Mikrotik/Linux Certified Consultant
● Website contributor: achmadjournal.com, mikrotik.tips,
asysadmin.tips
● More info: http://au.linkedin.com/in/achmadmardiansyah
5
6. www.glcnetworks.com
Past experience
● 2020-2022 (Congo DRC, PNG, Malaysia): network support,
radius/billing integration
● 2019, Congo (DRC): build a wireless ISP from ground-up
● 2018, Malaysia: network revamp, develop billing solution and
integration, setup dynamic routing
● 2017, Libya (north africa): remote wireless migration for a new
Wireless ISP
● 2016, United Kingdom: workshop for wireless ISP, migrating a
bridged to routed network
● 2015, Kalimantan, wireless support
● See our website for more details
6
7. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title: tahun baru
bersama solaris - new year with solaris OS)
● As a sharing event with various topics: linux,
networking, wireless, database, programming,
etc
● Regular schedule
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/schedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge, experiences,
information
7
11. www.glcnetworks.com
7 OSI layer & protocol
● OSI layer Is a conceptual model from ISO (International
Standard Organization) for project OSI (Open System
Interconnection)
● When you send a message with a courier, you need to
add more info to get your message arrived at the
destination (This process is called encapsulation)
● What is protocol
○ Is a set of rules for communication
○ Available on each layer
● Communication consist of series encapsulation
○ SDU: service data unit (before PDU)
○ PDU: protocol data unit (after header is added)
11
18. www.glcnetworks.com
Layer 2 vs Layer 3 addressing
18
Layer 2 Layer 3
● Burned-in address
● Adjacent communication
● Consist of 48 bit binary,
written in HEX format. 1 HEX
= 4 bit
● Unique for every physical port
● 6 first HEX digit -> represent
the manufacturer
● Logical address
● End-to-end communication
● IPv4 32 bit long
● 2 versions: IPv4 (our focus)
and IPv6
● Consist of network part & host
part
● Can be class based IP
address (without subnet)
● Now it is classless IP address
-> VLSM (variable length
subnet mask)
● CIDR (classless inter domain
routing)
19. www.glcnetworks.com
IP spec (RFC 791)
● Defined long time ago (what 1981?)
● Defines how the IP header looks like
● Still used up to know
● New version -> IPv6
19
20. www.glcnetworks.com
How the layer 3 address look like?
● IPv4 address is 32 bit long
● Written in binary -> always think in binary
● Displayed to human in decimal every 8 bit (octet).
● Has 2 parts: network part and host part
● Like a phone number 0812 XXXXXXXX -> hierarchical
● All devices in the network will have same network part
● First and last address cannot be used (for network id and broadcast id)
20
Network part host part
21. www.glcnetworks.com
Variable-Length Subnet Masking (VLSM)
● Variable-Length Subnet Masking (VLSM)
● Can divide an IP address block into subnets of
different sizes using / (slash) notation
● Solution the in efficient of classful IP address
(fixed length). No more class A, B, C
● RFC: 1878 (1895)
● Basis for CIDR
● Example: 23.45.0.0/17
○ 23.45.0.0/25
○ 23.45.0.128/25
21
22. www.glcnetworks.com
Classless Inter-Domain Routing (CIDR)
● Provides a new and more flexible way to
specify network addresses in routers (using
slash as notation)
● allow flexible allocation of Internet Protocol
(IP) addresses.
● CIDR lets a routing table entry represent an
aggregation of networks that exist in the
forward path
● Each IP address has a network prefix that
identifies their network
● RFC: 1519
22
23. www.glcnetworks.com
Router vs Routing
● Router is a network device that is used to forward
packets, based on layer 3 information (layer 3 header)
● Routing is the process of selecting a path for traffic in a
network, or between or across multiple networks
23
Physical
router
Router
icon
24. www.glcnetworks.com
Network design: physical connection (physical topology)
● Router connects layer 2 segments
● Router works on layer 3
● Meaning, each layer 2 segment has network ID
24
R1
R2
R3
R4
ISP2
ISP1
internet
25. www.glcnetworks.com
Network design: logical connection (logical topology)
25
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 (default gw) 192.168.0.3
Routing table:
● A table at router that is used to forward packet
● Available on every devices (router and host)
● Entry is executed sequentially
26. www.glcnetworks.com
Forwarding packets using routing table
● It works like a firewall: match and action
● When a packet arrived, routing table is used to forward packets
● You should think in binary to understand how it works
26
destination gateway
192.168.16.3/32
11000000 10101000 00001000 00000011
192.168.0.2
192.168.0.0/26
11000000 10101000 00000000 00
direct
192.168.1.0/24
11000000 10101000 00000001
direct
192.168.2.0/24
11000000 10101000 00000010
192.168.0.2
192.168.3.0/24
11000000 10101000 00000011
192.168.0.3
0.0.0.0/0
(no match)
192.168.0.3
27. www.glcnetworks.com
A packet arrived at R1… (example)
Destination IP address of the packet is 192.168.2.6, which gateway do we use?
A: 192.168.2.6 = (11000000 10101000 00000010 00000110
27
destination gateway
192.168.16.3/32
11000000 10101000 00001000 00000011
192.168.0.2
192.168.0.0/26
11000000 10101000 00000000 00
direct
192.168.1.0/24
11000000 10101000 00000001
direct
192.168.2.0/24
11000000 10101000 00000010
192.168.0.2
192.168.3.0/24
11000000 10101000 00000011
192.168.0.3
0.0.0.0/0
(no match)
192.168.0.3
29. www.glcnetworks.com
Administrative distance (analogy)
29
CITY 1 100 km
CITY 2 120 km
CITY 2 90 km
CITY 3 500 km
CITY 4 250 km
10.10.10.0/24 192.168.0.1 10
10.10.20.0/24 192.168.0.2 12
10.10.20.0/24 192.168.0.3 9
10.10.30.0/24 192.168.0.3 50
10.10.40.0/24 192.168.0.4 25
30. www.glcnetworks.com
Administrative distance
● Distance is considered when prefix length is
same
● Lowest distance wins
● Administrative distance policy is depends on
vendor
● Table on the right shows an example of
administrative distance on cisco router
30
33. www.glcnetworks.com
Autonomous system (AS)
● Is a collection of routers and networks under one administration and apply single routing policy
● AS is identified by a number (Autonomous System Number - ASN), given by RIR (Regional Internet
Registry: APNIC, ARIN, RIPE, etc)
33
AS1
AS4
AS3
AS2
34. www.glcnetworks.com
Addressing, IANA, RIR
● Internet is based on IP (internet protocol)
addressing scheme -> RFC791
● Addressing has to be unique
● IANA (Internet Assigned Number Authority)
regulates IP address allocation
● IANA delegates (some of its authority) to RIR
(Regional Internet Registry)
● RIR delegates to country’s
● Every organisation must have IP address block
to join the internet and build a routing scheme
among their equipment
34
35. www.glcnetworks.com
Asymmetric routing
● Currently, routing is done one-way only (outbound)
● Forwarding process on router is based on
destination IP address
● There is no guarantee incoming path is similar to
outgoing path
● We can only control outbound traffic
35
R1
192.168.0.1/26
192.168.0.3/26 R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
36. www.glcnetworks.com
Private IP, public IP and NAT
36
Public IP Private IP (RFC1918)
● Public IP is used globally (internet)
● Must be unique
● Usually borrowed from ISP (via ADSL, GPON,
GSM, 4G, etc)
● Private IP is used privately (internal organisation)
● Duplicated in many organisations
40. www.glcnetworks.com
Best Current Practice (BCP)?
● IETF creates RFC (request for
comments), it contains rules of how
communication works
● BCP is A collection of RFC for best
current practices with various topics
40
43. www.glcnetworks.com
Reverse-path filtering (RFC3704)
● Disables/enables source validation.
○ no - No source validation.
○ strict - applies Strict Reverse Path. Each incoming packet is tested against the
FIB and if the interface is not the best reverse path the packet check will fail. By
default failed packets are discarded.
○ loose - applies Loose Reverse Path. Each incoming packet's source address is
also tested against the FIB and if the source address is not reachable via any
interface the packet check will fail.
● Recommendation: use strict mode to prevent IP spoofing from
DDoS attacks.
● For asymmetric routing, complex routing, and vrrp case loose
mode is recommended.
43
R1
12.1.1.0/24 .1
.10
internet
dst: y.y.y.y
src: 12.1.1.99
dst: 12.1.1.10
src: x.x.x.x
dst: x.x.x.x
src: 12.1.1.10
.99
44. www.glcnetworks.com
TCP syncookies
● Send out syncookies when the syn backlog queue of a
socket overflows.
● This is to prevent against the common 'SYN flood attack'.
44
47. www.glcnetworks.com
Interested? Just come to our training...
● Topics are arranged in systematic and
logical way
● You will learn from experienced teacher
● Not only learn the materials, but also
sharing experiences, best-practices, and
networking
47
48. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Find our further event on our website :
https://www.glcnetworks.com
● Like our facebook page:
https://www.facebook.com/glcnetworks
● Slide: https://www.slideshare.net/glcnetworks/
● Discord (bahasa indonesia):
(https://discord.gg/6MZ3KUHHBX )
● Recording (youtube):
https://www.youtube.com/c/GLCNetworks
● Stay tune with our schedule
48