North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where is the edge of the Internet?

  • From: alok
  • Date: Tue Nov 05 06:10:31 2002


inline....

$author = "alok" ;
>
> so its a hardware limitation?....bigger cores needed

not necessarily. if you do the filtering in the right places you can leave
the core to do it's job of passing packets.

also, the idea of filtering at the edges is designed to reduce the distance
dud packets travel in your network, leaving your routers to worry about
passing legit packets.

=====> yup, but its fine if they reach the core as long as they dont go out
of it onto some WAN ($$) link (surely u have enuf on ethernet and pretty
much dont care whats there),... its still not hogging away bandwdith....but
its the ideal point to know "everything" passing around..... :o)..specially
Area -0 in OSPF.....

> fair enuf...... 2 schools of thought, and ur idea makes sense
> too... no denying that...but you have corner cases... which wont come up
if
> it could be in the core.....

the idea behind the extended filtering capabilities in routing software /
OSes is to address the problems you describe.


> well that covers everything doesnt it ;o)... even those not in ur
> network..does it actually ping and check to see if its there?

no, a default route is a default route. it doesn't check the IP address, but
any packets to dud addresses will get dropped the second they hit a default
free zone (if there is no matching prefix) or the upstream router (addresses
covered by a prefix but not used).

======> I may have to stop aggregation/default routing , on certain points
where i may have to go "loose"........
...unless ..if its "right at the edge" , where you know customer
interfaces..as you have been saying..but still nothing can be put on the non
customer facing side....

> do u inject BGP into IGP? ....do all access boxes have the
> entire BGP table/or know every address/network on the internet?

i'd be running iBGP across the default free core and IGP to cover link state
of your core. i've seen BGP injected into IGP and it can end up ugly if your
not careful.

so yes, you'd have a subset of your routers with full tables. you can filter
on these routers using "reachable-via any" to address asymmetry. on routers
closer to the customer edge, you might not have a full table but you can
apply stricter filtering given that you should know what subnets are coming
in your customer facing interfaces.

=========> you wudnt want to put this on any iBGP routers with "loose", as
they will anyway "know too many networks" .....u cudnt do it for multihomed
guys, not sure how u say u can.....unless you filter out his entire
range....

---------------
> most access would be the corner cases... i have cases where tier-2
> ISPs would simply take a 3 Mb uplink from 1 service provider and a fat
> downlink from another (ISP-2) ...all the BGP routes/advertisements would
be
> in the 2nd ISPs networks, ISP 1 has no idea what this guys address range
is
> at the access is... this is a common mechanism lots of tier-2 ISPs would
> apply......

? ISP-1 can filter packets based on subnets known to be attached to the
customer circuit (your customer system does record IP addresses assigned to
customers or provider independent IP subnets that your customers have,
doesn't it?!?)...

=====> wont work if the customer has his own AS else ill need to filter
"all" of the addresses...... ***there is no rule which needs me to tell the
peering provider what I am uplinking via his pipe**.......** I could still
DDOS with all the IPs belonging to the tier-2 ISP and get enuf traffic
generated...right?**

you might also say "okie now i know this AS was the source" but then that
hardly helps you obviously cant ban the whole AS's IP range.. u need to
track the "user".....

 ...hmm but you could say that the tier-2 guy should do RPF too........that
makes sense...."stringent laws" would help.....

----------------

ISP-2 would do the same for upstream traffic. downstream both ISPs could
apply whatever filtering is appropriate (loose / strict) given their network
structure.

=====> loose/strict  wont help if its 2 different ISPs..........and if u
dont know what customer networks are uplinking via your own core.....

> we cud start a new topic...
>
> "where is the core of the internet"?
>
> coz assymetric routing messes up everything :o) even for those scenarios
> on the core...

read up a little RPF and the difference between "strict" and "loose"...

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122yo/swcg/secur
e.htm#xtocid10


========> loose is essentally "exist -only" i hope thats what u
mean?........it doesnt check the "interface" being a possible point of
entry, just that the network is known via the routing table......thats what
your refering to I guess...??..for BGP peered networks... cant say
much....its upto him what he advertises to you...

but for customers whose networks are present in you IGP, it does make
sense.....strict on all access devices, loose on all the major points where
one cant tell the interfaces....but you still need to know where he uplinks
and downlinks from...."so its sort of same as acls but yeah, its
automated".......wondering if all this effort can be put onto the core...

if u mean something else by "loose" then im sorry im not aware.. perhaps you
could share some info...

incase u think i am giving you too many corner cases.... its not "whine
whine" its just exploring possibilites :o) ...


-Alok