On Fri, 6 Feb 2009, Tore Anderson wrote:
123.0.0.x is part of AS123's PA space, 321.0.0.x is part of AS321's.
Routes received from AS123 has a higher localpref than those from AS321,
for whatever reason - like simply being cheaper.
If someone on the other side of the internet now sends an ICMP ping or
whatever to 321.0.0.2 I'll end up routing the reply packet out through
AS123, since the route to that particular other side of the internet has
a higher localpref through AS123. However from AS123's point of view
I'm now spoofing traffic from AS321's PA space, so they might feel free
to drop the packet due to a failing uRPF check or whatever.
Your ISPs should not be implementing strict RPF on your interfaces to them
since you're multi-homed. Loose RPF should be OK. If one ISP or the
other (or both) is accomplishing RPF-like functionality using ACLs,
then they need to relax those ACLs to accept traffic from the space that
AS123 assigned to you. If you're doing RPF on your side, or implementing
ACL based ingress/egress filtering, you should implement loose RPF and
consider relaxing your filter ACLs a bit.
jms
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
