> they will charge you a whooping sum for that "picking places" bit ;o) > ... i agree that the best place to actually address such scenarios is the > "backbone"/"peering points"/"borders" where all traffic is seen..rather than > go around tinkering at all edges..but i dont know how RPF would address the > assymetry there.. but at the edges...depolyment costs is a problem..i > think...dont ask me if i have a better idea :o) i would be writing a paper > if i did.....
i'd disagree with your choice of places: backbone - the core is the last place i'd be putting filtering peering points / borders - the router needs a full table (asymmetry / reachable-via any) and be beefy enough to handle the extra load of filtering. -----------> so its a hardware limitation?....bigger cores needed the places to go after are (IMHO in this order): - routers immediately upstream of dial-in pools, cable headends etc.etc. (strict filtering) - routers aggregating customer circuits (strict filtering) - peering / transit circuits (loose filtering) ----------> fair enuf...... 2 schools of thought, and ur idea makes sense too... no denying that...but you have corner cases... which wont come up if it could be in the core..... > coz the destination network is there..... its still a viable config > isnt it..incase of assymetric uplinks and downlinks? ......wht stops u from > "not having a route to the source" as routing is destination IP based... > some particular network may be covered with 0.0.0.0/0 for example and you > may have no routing entry for it... or you could be having a customer who > uplinks a particular network segment via your ISP, but doesnt advertise his > network to you as he actually downlinks that network from somewhere > else...nothing to stop that topology either.........right? a default route is still a route (may need configuring "allow-default"). -----> well that covers everything doesnt it ;o)... even those not in ur network..does it actually ping and check to see if its there? i don't think you grasp the idea of "reachable-via any" which allows you to filter only if there is no route for the source address in the entire table, allowing for asymmetry in the network. --------------> do u inject BGP into IGP? ....do all access boxes have the entire BGP table/or know every address/network on the internet? if the router can't return a response or icmp packet to the source, why bother with the packet. if the router doesn't have a full table and no default route then it just isn't a smart place to filter (and a very extreme corner case). ------> most access would be the corner cases... i have cases where tier-2 ISPs would simply take a 3 Mb uplink from 1 service provider and a fat downlink from another (ISP-2) ...all the BGP routes/advertisements would be in the 2nd ISPs networks, ISP 1 has no idea what this guys address range is at the access is... this is a common mechanism lots of tier-2 ISPs would apply...... okie...does RPF actually ping and check if there is "indeed" a way to get to the destination purely via IGP (to indicate it is in the same AS as it is a spoofed IP)?..again note, purely via IGP....not BGP..(again not a 0.0.0.0/0 crossing to another AS) if you anyway knew the network so well, a better way would be to use route filters in bgp (access list in) if u any way knew the customers network range and for no BGP customers, simple filters at edge points without RPF would put the same overhead i guess....