North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: NSPs filter?
- From: Richard A Steenbergen
- Date: Mon Aug 05 12:41:06 2002
On Mon, Aug 05, 2002 at 11:59:04PM +0800, Barry Raveendran Greene wrote:
> We already have BCP 38, which strongly recommends packet filtering on the
> customer-ISP edge. There are now two major vendors who have strict mode
> uRPF. This which covers 80% of the BCP 38 packet filtering on the
> customer-ISP edge. With a few BGP config tweaks, strict mode uRPF can cover
> a lot of the last 20% (all those multihomed customers).
Except vendor J doesn't spend much time at the customer edge, and vendor F
seems to think that you should do per-interface RPF with acl's.
Also, vendor J's implementation of loose mode is significantly different
from everyone elses. It seems they mean "is it feasible for this src ip to
be routed to this interface regardless or route selection", not "it is
feasible for this src ip to be routes to any interface on the box". Or to
put it another way, say you peer with someone who sends you 5000 routes,
but you only accept 4000 as best-path. If you feasible filter it, you'll
be allowing src IPs from those 5000 prefixes, not from all 100k+ on the
box. While this is potentially a neat feature, it isn't the same as true
Between that and only being able to set strict or feasible for the entire
box and not per-interface, I'd say vendor J's implementation is almost
completely useless at this point.
Richard A Steenbergen <firstname.lastname@example.org> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)