North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: uRPF Loose Check Mode vs. ACL
Richard A Steenbergen wrote: escaping the "filter" with more specific routes would be absolutely necessary.On Sun, May 05, 2002 at 11:55:21AM -0700, Livio Ricciulli wrote:In particular, I am interested in the ability of eliminating specific routes from the FIB under uRPF Loose Check Mode to effectively filter specific source addresses that are flooding.Not quite. Secondly, when you remove something from your FIB, you also block destination routing as well as source.Good point; so in ACL equivalent language you are saying that taking out a FIB entry in uRPF Loose Check Mode is equivalent to a network-wide insertion of: deny ip x.y.0.0/24 any (from the uRPF Loose Check Mode) deny ip any x.y.0.0/24 (from the absence of a route) (modulo the more specific routes to escape the "filter" which could be expressed as prepended permits in the ACL equivalent world) Well, I am investigating if it is possible today to use uRPF Loose Check Mode to achieve network-wide source/destination address filtering functionality (it seems not from what you write). I immagine that it would be useful to use route advertisements to enforce network-wide access control policies. These policies, however, to be generally interesting for DDoS would have to be at least as expressive as "<deny|permit> <proto> <source> <destination>" (hence my questions).The reason why I ask is that we would like to keep control of these two important aspects of the traffic to avoid filtering out too much and therefore possibly affecting legitimate traffic. Think of the case where a flood targets one of multiple downstream customers and the spoofed addresses correspond to a popular address range (such as Yahoo). Doing a "deny ip x.y.0.0/24 any" would effectively shut down Yahoo's traffic for all downstream customers thus amplifying the attacker's effect.It sounds like what you are looking for has nothing to do with the RPF or the FIB, but rather simply manual source address filtering. Livio.
|