Standards & Compliance

What is BCP 38?

Also known as: Source Address Validation

Definition

BCP 38 (RFC 2827) is a Best Current Practice that defines ingress filtering to prevent packets with spoofed source IP addresses from leaving a network.

BCP 38, formally RFC 2827, is a Best Current Practice published by the IETF in 2000. It describes a simple but powerful network-layer defense: ingress filtering. The core idea is that a router or firewall should examine the source IP address of every outbound packet it forwards. If the source address does not belong to the network prefix that the router expects to see on that interface, the packet is dropped. This prevents a customer or an attacker inside that network from sending traffic that claims to come from an IP address outside the allocated block.

Operators implement BCP 38 by configuring access control lists (ACLs) or using unicast Reverse Path Forwarding (uRPF) on customer-facing interfaces. The router checks the source against its routing table: if the best return path to that source address goes out the same interface, the packet is allowed; otherwise it is rejected. This stops most forms of IP spoofing, including amplification attacks such as DNS reflection and NTP amplification. BCP 38 is not a complete anti-spoofing solution (it does not fix transit-provider filtering gaps), but it is the foundational standard against which source-address validation is measured.

In the wider stack, BCP 38 sits at the boundary between network operations and security policy. It is referenced in numerous later RFCs, including BCP 84 (RFC 3704, which extends the method to asymmetric routing scenarios) and various DDoS mitigation guidelines. Adoption remains inconsistent, often because of operational complexity in multi-homed networks or fear of blocking legitimate traffic. Despite this, BCP 38 is the single most cost-effective control against source-address spoofing on the internet.

Key facts

  • Published as RFC 2827 in May 2000, updated by RFC 3704 in 2004.
  • Prevents spoofed source IP addresses from leaving a customer or edge network.
  • Implemented via ACLs or unicast Reverse Path Forwarding (uRPF) on ingress interfaces.
  • Mitigates reflection and amplification DDoS attacks like DNS and NTP floods.
  • Widely endorsed by IETF, FIRST, and MANRS, but global adoption is not universal.

How it works in practice

An ISP connects a customer with allocated prefix 203.0.113.0/24. The ISP applies an ACL on the customer-facing port that permits only source addresses within 203.0.113.0/24. If a host behind that customer sends a packet with source 1.2.3.4, the ACL drops it. This prevents that customer from participating in a DNS reflection attack that spoofs a bank's IP address.

Related terms

Ingress filtering Unicast Reverse Path Forwarding (uRPF) RFC 3704 RFC 2827 MANRS DDoS mitigation Source Address Validation (SAV)

References

More in Standards & Compliance

BCP 14

BCP 14 defines the normative meaning of MUST, SHOULD, MAY, and related keywords used in RFCs to specify requirement levels in Internet standards.

GDPR

The General Data Protection Regulation (GDPR) is an EU law that governs the processing of personal data and applies to any organization worldwide that handles data of EU residents.

HIPAA

HIPAA is a 1996 US federal law that sets national standards for protecting sensitive patient health information from disclosure without consent or knowledge.

IANA

IANA is the function that coordinates global IP address allocation, manages the DNS root zone, and assigns protocol numbers used in Internet standards, ensuring unique identifiers across the network.

ICANN

ICANN is a nonprofit organization that coordinates the Domain Name System (DNS) root zone, accredits registrars, and oversees the Internet Assigned Numbers Authority (IANA) functions for global unique identifiers.

IETF

The Internet Engineering Task Force (IETF) is an open international community of network designers, operators, vendors, and researchers that develops voluntary internet standards, primarily through working groups and the RFC document series.

ISO 27001

ISO 27001 is an international standard specifying requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

ITU-T

ITU-T is the United Nations agency that sets global telecommunications standards, including X.509 certificates and G-series video codecs.

PCI DSS

PCI DSS is the mandatory security standard for any organization that stores, processes, or transmits credit card data, enforced by the payment card brands.

Regional Internet Registry

A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources (IP addresses and Autonomous System Numbers) within a specific geographic region.

Who Is Online

In total there are 63 users online: 0 registered, 57 guests and 6 bots.

Bots: Applebot Bingbot Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340