> > But in routing code I would as
> >
implementor check if a site came in at me and if globally connected
> >
drop the packet and not let thru default route.
>
> This would be
relatively easy to do, I suppose
Yes but I believe we need this in products quickly if we support Margarets rule which I do and can it be done as download rule upgrade to existing routers or will it have to be put in slow path.
>
> But note that there is (currently) more than
that:
> site-border routers
> must also check source addresses of
packets and drop them.
> This may get
> difficult as you
have to have a way of configuring the fact
> that this is
> indeed a
site border. This can't really be solved by adding a route..
It is
a compare and XOR operation on the address at the ingress point. If we apply
Margarets rule-set which I support a site border router would only be dealing
with site locals if it had no connectivity to non-site communications. So I
don't see that problem per compliance. But to prevent errors the site routers
could do the fix I state above as easily as ingress/egress border routers to a
site from a public or private ISP.
>
> (Note I meant site/global
border with site border above, not two
> different sites)
This is a
good point to question. My read of Margarets rule is that the border router
would not be configured to see a site on any interface? The only reason to
do what I say above is insurance for the network operations community in the
product implementation.
/jim
