North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: NSPs filter?
- From: Jared Mauch
- Date: Mon Aug 05 16:07:35 2002
On Mon, Aug 05, 2002 at 12:39:08PM -0400, Richard A Steenbergen wrote:
> On Mon, Aug 05, 2002 at 11:59:04PM +0800, Barry Raveendran Greene wrote:
> > We already have BCP 38, which strongly recommends packet filtering on the
> > customer-ISP edge. There are now two major vendors who have strict mode
> > uRPF. This which covers 80% of the BCP 38 packet filtering on the
> > customer-ISP edge. With a few BGP config tweaks, strict mode uRPF can cover
> > a lot of the last 20% (all those multihomed customers).
> Except vendor J doesn't spend much time at the customer edge, and vendor F
> seems to think that you should do per-interface RPF with acl's.
> Also, vendor J's implementation of loose mode is significantly different
> from everyone elses. It seems they mean "is it feasible for this src ip to
> be routed to this interface regardless or route selection", not "it is
> feasible for this src ip to be routes to any interface on the box". Or to
> put it another way, say you peer with someone who sends you 5000 routes,
> but you only accept 4000 as best-path. If you feasible filter it, you'll
> be allowing src IPs from those 5000 prefixes, not from all 100k+ on the
> box. While this is potentially a neat feature, it isn't the same as true
Juniper I believe is working on a "super-loose" check which
will mimick the cisco behaviour. As always, check with your vendor
for more detailed information, etc..
> Between that and only being able to set strict or feasible for the entire
> box and not per-interface, I'd say vendor J's implementation is almost
> completely useless at this point.
Their 'loose' is interesting only in the case of customer
interfaces and not so interesting in the network core. Also
I seem to recall that it's a global option currently.
Jared Mauch | pgp key available via finger from email@example.com
clue++; | http://puck.nether.net/~jared/ My statements are only mine.