|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN flood messages flooding my mailbox
In message <[email protected]>, Vadim Antonov writes: > Curtis Villamizar <[email protected]> wrote: > >I guess a picture would help: > > > > AS X R1 ------ AS Y R3 > > | | > > | | > > AS X R2 ------ AS Y R4 > > > >If the route learned at AS Y R4 is preferred, AS Y R3 may get packets > >although the forwarding entry (Fib) points toward AS Y R4, the LocRib > >does not contain the entry (no preferred), only the AdjRibIn contains > >the entry. If the filter must be set according to AdjRibIn, > > That's what i meant. > > >you now have a filter list **in the forwarding path** considerably longer th > an > >the current routing table. Won't scale at the very least. > > Not. Every entry in the filter contains the following data: > > [Prefix] [Prefix Length] [Bitmask] > > where bitmask has a bit per every interfaces, so the bit if set if > packet matching the prefix is allowed from that interface. > > Since in practically all cases all prefixes (NOT routes!) found in > all RIBs are also found in FIB (exceptions are proxy aggregation > and/or restricted end-to-end reacheability) the size of the list > is the same as size of FIB. > > In fact, you don't even need to keep a separate table. Just add a > bitmask field to the FIB entries. > > (On customer-access routers with many interfaces each allowing > only very small portion of routes in it may be more economical to > implement explicit per-interface lists than to add fields to FIB). OK. When you said "do this from BGP data" I didn't assume you'd be tossing out the next-hop and just keeing the interface. Although I suppose a bitmap with a bit per active ARP entry could be used too (as long as ARP entries could be keep a slot reserved after they expire until all routes using the ARP entry are changed, which shouldn't be long or there is a problem). Basing this on the AdjRibIn is a more work than just reversing the sense of the Fib but it does cover quite a few more cases. Though not all of them. The transit providers still need to be able to trace attacks after the fact since there is no filter that covers these cases and filters at the fringes will be spotty deplomyments. Curtis - - - - - - - - - - - - - - - - -
|