North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: uRPF Loose Check Mode vs. ACL

  • From: Richard A Steenbergen
  • Date: Sun May 05 16:52:05 2002

On Sun, May 05, 2002 at 11:55:21AM -0700, Livio Ricciulli wrote:
> 
> In particular, I am interested in the ability of eliminating specific 
> routes from the FIB under uRPF Loose Check Mode to effectively filter 
> specific source addresses that are flooding.
> 
> As I understand the concept, eliminating an address from the FIB such as
> x.y.0.0/24 would have the equivalent effect of installing a network-wide
> ACL rule:
> 
> deny ip x.y.0.0/24 any

Not quite.

First, lets be specific by what you mean by "remove from the FIB", as
there are a number of different methods you could use. You could simply
block it from the RIB when generating the FIB, you could go back after FIB 
generation and try to make it unresolved, or you could change the nexthop 
to "discard". If you're trying to replicate traditional firewall behavior 
(filter no matter what) you would have to do it post FIB generation, but if
you are trying to replicate normal routing behavior (ex: a null route) you 
would have to do it during FIB generation, so that you can potentially 
have more specific routes which escape the "filter".

Secondly, when you remove something from your FIB, you also block 
destination routing as well as source.

> The reason why I ask is that we would like to keep control of these
> two important aspects of the traffic to avoid filtering out too much
> and therefore possibly affecting legitimate traffic. Think of the case where
> a flood targets one of multiple downstream customers and the spoofed
> addresses correspond to a popular address range (such as Yahoo).  Doing
> a "deny ip x.y.0.0/24 any" would effectively shut down Yahoo's traffic
> for all downstream customers thus amplifying the attacker's effect.

It sounds like what you are looking for has nothing to do with the RPF or
the FIB, but rather simply manual source address filtering.

However, if the reason you're interested in RPF is because you want to
source match filtering more efficiently, you may be interested in the data
structure. Rather then walking a straight access-list rule set doing a
comparison for every rule, you can make a "Filtering" Information Base
mtrie for source address rules. This is the entire point of standard 
access-lists, and more recently compiled access-lists.

-- 
Richard A Steenbergen <[email protected]>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)