North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Lazy Engineers and Viable Excuses

  • From: Matt Levine
  • Date: Tue Aug 26 11:31:48 2003 
On Tuesday, August 26, 2003, at 11:13 AM, Stephen J. Wilcox wrote:


On Tue, 26 Aug 2003, Leo Bicknell wrote:
In a message written on Tue, Aug 26, 2003 at 10:43:00AM -0400, Jared Mauch wrote:
	Yes I could, if you and your customers had all the routes
they sourced packest from registered.  This has nothing to do
with routing 101, this has to do with filtering customers and
having anti-spoofing filters as well as route objects for any
prefix you will source packets from.

         ___T1 to Verio, With BGP____Verio______
        /                                       \
Customer                                         UUnet
        \                                       /
         ---T1 to Sprint, No BGP-----Sprint-----

Now, the customer, over their two T1 transit circuits does the
following:

as-path access-list 1 deny .*

neighbor verio filter-list 1 in

ip route 0.0.0.0 0.0.0.0 sprint

Should the customer have to register a route with Sprint to make
this work?  How does UUNet, who only received a route from Verio,
know incoming packets from Sprint aren't spoofed?  Note also, even
if these cases are in the IRR, UUNet's filter for Sprint will be
larger than the number of routes currently received, since there is
no route for this prefix that needs to be in the filter.

[Note, I don't suggest this configuration is common or useful on
its own, but rather it's a simple enough case it can be used for
discussion in e-mail.]
Hmm this isnt a real world scenario tho.. if you multihome there should be BGP
on both paths..

In the example above Sprint arent accepting or sourcing a route so there is no
issue on routes being passed into Sprint or UUNET and we're talking here about
spoofing of routes not packets
In a real world scenario, I bumped into Verio's RPF peer filters yesterday.

Due to the large outage at 200 paul, the /19 that one of my /24's is out of went away. Obviously due to prefix filtering policies, verio didn't have my /24. I had several people complain who were multihomed, and did have the /24 from their other carrier(s). Unfortunately, my best path to these customers was via verio, who's rpf promptly blocked my return traffic :(




Steve
--
Matt Levine <[email protected]>
"The Trouble with doing anything right the first time is that nobody appreciates how difficult it was." -BIX