Re: router worms and International Infrastructure

North American Network Operators Group

Re: router worms and International Infrastructure

From: Christopher L. Morrow
Date: Thu Sep 22 11:13:09 2005

On Thu, 22 Sep 2005, Matthew Crocker wrote:

<snip making networking more complicated than required>
>
> > Also, consider the cases where customers push packets your way (for
> > uRPF
> > strict,  which isn't available for JunOS, but is for IOS depending on
> > platform/code/hardware-rev... ugh!) and never send you a route for the
> > traffic back to them? Maybe they are just a transit and don't even
> > hear
> > the routes for their customer who chose a 'cheaper' path that doesn't
> > include them nor me directly on this link in question?
>
>
> This sounds like a broken design.  Why have one way links?  If a

I didn't say I endorsed it, just that it happens, often. It's not a one
way link either, the link may have thousands of routes advertised up it,
just not a few key ones which are sources of traffic.

Like I said earlier this morning, I have no idea why customers don't just
send a prepended-to-hell route along this path for backup, but they
don't... often.

> customer pushes packets my way and they don't announce that route to
> me I will drop the packets at my edge.  If they want to send me those

and you are breaking them... that's bad.

> packets they need to announce.  They can announce with AS path
> prepend x 1000 so I don't send them any traffic but the route needs
> to exist.

Sure, and every customer knows bgp/route-maps/policy as well as you... my
point wasn't that it was a good or bad thing, just that it is.

>
> > "does urpf feasible path stop a 'customer' from spoofing sources
> > that are
> > in the FIB?"
>
> No,  but you don't use feasible path on links aimed at your customer,

great now we have conflicting answers :) perhaps I'll ask on j-nsp for
clarification.

> you use strict.  If your router doesn't support strict then talk to
> your purchasing department.

The problem isn't the router, it's the cards in the router often :( Also,
it's supposed to work according to the vendor, until you test and verify
it doesn't :( doh! hint, don't by Engine-3 cards for your 12000's unless
you don't care about urpf strict.

hurray!

References:
- Re: IOS exploit Michael.Dillon
- router worms and International Infrastructure [was: Re: IOS exploit] Gadi Evron
- Re: router worms and International Infrastructure Florian Weimer
- Re: router worms and International Infrastructure Christopher L. Morrow
- Re: router worms and International Infrastructure Gadi Evron
- Re: router worms and International Infrastructure Christopher L. Morrow
- Re: router worms and International Infrastructure Gadi Evron
- Re: router worms and International Infrastructure Valdis.Kletnieks
- Re: router worms and International Infrastructure Pekka Savola
- Re: router worms and International Infrastructure Christopher L. Morrow
- Re: router worms and International Infrastructure Pekka Savola
- Re: router worms and International Infrastructure Christopher L. Morrow
- Re: router worms and International Infrastructure Matthew Crocker

Prev by Date: Re: Tools classifying network traffic to applications
Next by Date: Re: Tools classifying network traffic to applications
Date Index
Thread Index
Author Index
Historical