I'm opposed to some of the suggestions where to put source address
filters, especially placing them in non-edge locations. E.g. requiring
address filters at US border crossings is a *bad* idea, worthy of an
official visit from the bad idea fairy.
What is bad about filtering facing
--- so its a hardware limitation?bigger cores needed
The best place to filter is the edge of one's network, in the strictest
manner possible. While possible to filter in the core of one's network,
you lose the majority of the usefulness of RPF (no strict checking, can
only check for
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
there was a comment from chris saying...never possible to knw what networks
an bgp customer uplinks via you which is very true.. ..so i assume u mean
non-bgp customers? loose or strict, rpf will not work for aasymterically
connected bgp
On Fri, 08 Nov 2002 01:01:33 +0530, alok said:
there was a comment from chris saying...never possible to knw what networks
an bgp customer uplinks via you which is very true.. ..so i assume u mean
non-bgp customers? loose or strict, rpf will not work for aasymterically
connected bgp
Ok, so I'll respond to one more of the messages I missed yesterday.
On Mon, 4 Nov 2002, Matt Buford wrote:
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
The only equipment I'm heard here which has serious issues related to
feature availability is the 12000 (which was never a
Sounds like you're trying to either shoot yourself in the foot, or design a
new too-clever-by-half way of building a VPN.
It is called a one-way ip over satellite link to places like Australia, New
Zeland or Middle East. So it is not like we are talking about little bit of
traffic.
Alex
One of my clients is currently a victim of an over-zealous ISP
recklessly trying to implement rpf.
One (of two) ISPs are trying to monitor my customer's circuit by
watching the serial interface (IP address) of the cpe (customer owned
and controlled) router (IP address is from ISP's block).
If loose rpf doesn't work, you're about to start dropping packets *anyhow*.
Unless, of course, you *INTENDED* to have a topology where you're accepting
traffic from another AS and forwarding it, and you don't have a return path
yourself, but the destination *does* have an assymetric path.
Oh..
if what u mean by loose is exist only then yes on a bgp running router
probably the WHOLE INTERNET IS EXIST ONLY...that surely gives u enuf ips to
spoof with?? how do u block by source?
you could only know that frrom that link between as-1 and as-2 there will
be some traffic from a
On Fri, 08 Nov 2002 01:55:03 +0530, alok said:
take a simple scenario
AS-1 , AS-2 and AS-3 and as-4
AS-2 and as-3 in the middle, as-1 and as-4 multihome on them and are on
either side of as-2 and as-3..they dont peer with each other ...(though as-2
and as-3 mebbe)
as-1 advertises a
Sounds like you're trying to either shoot yourself in the foot, or design a
new too-clever-by-half way of building a VPN.
It is called a one-way ip over satellite link to places like Australia, New
Zeland or Middle East. So it is not like we are talking about little bit of
traffic.
One of my clients is currently a victim of an over-zealous ISP
recklessly trying to implement rpf.
Assuming the provider is doing the right thing by filtering routing
announcements, and assuming the customer has done the right thing
by informing their provider of the blocks they _might_
fine now? u can put loose...its NO USE!! thats what i said..there will
always be a route to the sourceall u may drop is 10.x/192.168 and
172/16-31..that too if ur network isnt internally using it
Oh, and if this ends up being the case, what's wrong with that? Less RFC1918
crap
come to think of it, it certainly makes it easier in the access...everything
points to that...
would help if there ws a mandatory doc..then even those assymetric
routing chaps would anyways put it in their access :o)
-rgds
alok
- Original Message -
From: alok [EMAIL PROTECTED]
To:
Paul Vixie wrote:
here's what i came up with while trying to explain the edge elsewhere.
1 - Connection Taxonomy
1.1. The Internet is a network of networks, where the component
networks are called Autonomous Systems (AS), each having a unique AS
Number (ASN).
Even if this
1 - Connection Taxonomy
1.1. The Internet is a network of networks, where the component
networks are called Autonomous Systems (AS), each having a unique AS
Number (ASN).
Even if this reflects the original intent of ASNs, it certainly does not fit
current reality.
it is
Ok, so I'll respond to one more of the messages I missed yesterday.
On Mon, 4 Nov 2002, Matt Buford wrote:
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
The only equipment I'm heard here which has serious issues related to
feature availability is the 12000 (which was never a particularly
just curious
do most SPs/IXs actually have the entire BGP routing table with them?
so that every network in the world which is registered is availble to them
in some form or another?
-rgds
Alok
- Original Message -
From: alok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; Martin [EMAIL
$author = alok ;
they will charge you a whooping sum for that picking places bit ;o)
... i agree that the best place to actually address such scenarios is the
backbone/peering points/borders where all traffic is seen..rather than
go around tinkering at all edges..but i dont know how RPF
they will charge you a whooping sum for that picking places bit ;o)
... i agree that the best place to actually address such scenarios is the
backbone/peering points/borders where all traffic is seen..rather
than
go around tinkering at all edges..but i dont know how RPF would address
the
$author = alok ;
do most SPs/IXs actually have the entire BGP routing table with them?
how longs that piece of string?
there are many ways to design a network. you can have no BGP feeds (defaults
+ static), you can have no full BGP feeds (maybe customer only feed across
a peering circuit +
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --On Monday, November 04, 2002 19:22:14 -0500 [EMAIL PROTECTED] wrote:
So, in this vein, is there gear other than old 12000 linecards that
can't do RPF? Is anyone still using 2500's or 4500's?
What non-hardware reasons are there not to do
inline
$author = alok ;
so its a hardware limitation?bigger cores needed
not necessarily. if you do the filtering in the right places you can leave
the core to do it's job of passing packets.
also, the idea of filtering at the edges is designed to reduce the distance
dud packets
$author = alok ;
yup, but its fine if they reach the core as long as they dont go out
of it onto some WAN ($$) link (surely u have enuf on ethernet and pretty
much dont care whats there),... its still not hogging away bandwdithbut
its the ideal point to know everything passing
On Tue, 05 Nov 2002 13:26:04 +0530, alok [EMAIL PROTECTED] said:
=== coz the destination network is there. its still a viable config
isnt it..incase of assymetric uplinks and downlinks? ..wht stops u from
not having a route to the source as routing is destination IP based...
u confused me with that question... who said the destn net was unreachable?
address (as per your scenario). You look up the destination in the routing
table, and don't find it. So we look in RFC792 on page 5:
If, according to the information in the gateway's routing tables,
the network specified in the internet destination field of a
datagram is
On Wed, 06 Nov 2002 01:27:21 +0530, alok [EMAIL PROTECTED] said:
- who does? the source is reachable...via BGP.its a
valid internet address...
Hold that thought for a bit, and remember that at least *some* of us were
discussing whether to drop packets if we *DONT* have a
Where is the edge of the Internet?
here's what i came up with while trying to explain the edge elsewhere.
1 - Connection Taxonomy
1.1. The Internet is a network of networks, where the component
networks are called Autonomous Systems (AS), each having a unique AS
Number (ASN).
On Wed, 06 Nov 2002 01:27:21 +0530, alok [EMAIL PROTECTED] said:
- who does? the source is reachable...via BGP.its a
valid internet address...
Hold that thought for a bit, and remember that at least *some* of us were
discussing whether to drop packets if we *DONT* have a
$author = alok ;
you can't if its a valid internet address...can you?
depends on what you mean by valid.
- does valid = any 32 bit dotted quad?
- does valid = any IP not in 1918 space?
- does valid = any IP that the routing table has an entry for?
- does valid = packets from this IP came in
here is the scenario
u have a bgp A ---ospf-B - bgpC router setup
what will u do on ospf -B ?
coz transit traffic can flow thru it...
careful selection... :o) well that way u can fill every hole .. no end to
it... and it generates good jobs :o)
but what i was trying to say to Valdiswas
Sean puts this very nicely... I was away today so I missed the rest of the
traffic and looking it over alot of it was not relevant. I'll put in some
comments here though.
On Mon, 4 Nov 2002, Sean Donelan wrote:
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
What about the other large isps?
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
What about the other large isps? What would it take for you to do
something? Chris is gracious enough to show up and participate, at
least even if it does mean he has to wear nomex.
I'm in favor of source address filtering at the edges.
I'm opposed
At 06:18 PM 11/4/2002, Sean Donelan wrote:
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
What about the other large isps? What would it take for you to do
something? Chris is gracious enough to show up and participate, at
least even if it does mean he has to wear nomex.
I'm in favor of source
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
What about the other large isps? What would it take for you to do
something? Chris is gracious enough to show up and participate, at
least even if it does mean he has to wear nomex.
I'm in favor of source address filtering at the edges.
Here
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
The only equipment I'm heard here which has serious issues related to
feature availability is the 12000 (which was never a particularly good
aggregation device to begin with). RPF works fine on 7200, 7500, and
6500, from my experience. I've not used
I'm opposed to some of the suggestions where to put source address
filters, especially placing them in non-edge locations. E.g. requiring
address filters at US border crossings is a *bad* idea, worthy of an
official visit from the bad idea fairy.
What is bad about filtering facing
$author = alok ;
makes sense on the edge/aggregation but if you do it further up in
the network.there maybe some cases where we have assymetric routing,
where the path of uplink is never the path the same as the downlink
hence the suggestion of reachable-via any rather then route to
Hi
see inline :o),
- Original Message -
From: Martin [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 05, 2002 12:59 PM
Subject: Re: Where is the edge of the Internet?
$author = alok ;
makes sense on the edge/aggregation but if you do it further up in
the
40 matches
Mail list logo