> fine now? u can put "loose"...its NO USE!! thats what i said..there will
> always be a route to the sourceall u may drop is 10.x/192.168 and
> 172/16-31..that too if ur network isnt internally using it
Oh, and if this ends up being the case, what's wrong with that? Less RFC1918
crap
> fine now? u can put "loose"...its NO USE!! thats what i said..there will
> always be a route to the sourceall u may drop is 10.x/192.168 and
> 172/16-31..that too if ur network isnt internally using it
>
> and if u end up putting "loose" an OSPF router ull drop valid traffic if ur
>
> One of my clients is currently a victim of an over-zealous ISP
> recklessly trying to implement rpf.
Assuming the provider is doing the right thing by filtering routing
announcements, and assuming the customer has done the right thing
by informing their provider of the blocks they _might_ ann
> > Sounds like you're trying to either shoot yourself in the foot, or design a
> > new too-clever-by-half way of building a VPN.
>
> It is called a one-way ip over satellite link to places like Australia, New
> Zeland or Middle East. So it is not like we are talking about little bit of
> traffic
On Fri, 08 Nov 2002 01:55:03 +0530, alok said:
> take a simple scenario
> AS-1 , AS-2 and AS-3 and as-4
>
> AS-2 and as-3 in the middle, as-1 and as-4 multihome on them and are on
> either side of as-2 and as-3..they dont peer with each other ...(though as-2
> and as-3 mebbe)
>
> as-1 advertise
if what u mean by loose is "exist only" then yes on a bgp running router
probably the WHOLE INTERNET IS EXIST ONLY...that surely gives u enuf ips to
spoof with?? how do u block by source?
you could only know that "frrom that link between as-1 and as-2 there will
be some traffic from
If loose rpf doesn't work, you're about to start dropping packets *anyhow*.
Unless, of course, you *INTENDED* to have a topology where you're accepting
traffic from another AS and forwarding it, and you don't have a return path
yourself, but the destination *does* have an assymetric path.
Oh..
--
From: [EMAIL PROTECTED] [mailto:owner-nanog@;merit.edu] On Behalf Of
alok
Sent: Thursday, November 07, 2002 3:00 PM
To: Majdi S. Abbas; [EMAIL PROTECTED]
Subject: Re: Where is the edge of the Internet? Re: no ip
forged-source-address
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
> there
> Sounds like you're trying to either shoot yourself in the foot, or design a
> new too-clever-by-half way of building a VPN.
It is called a one-way ip over satellite link to places like Australia, New
Zeland or Middle East. So it is not like we are talking about little bit of
traffic.
Alex
> Ok, so I'll respond to one more of the messages I missed yesterday.
>
> On Mon, 4 Nov 2002, Matt Buford wrote:
> > On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > > The only equipment I'm heard here which has serious issues related to
> > > feature availability is the 12000 (which was never a p
On Fri, 08 Nov 2002 01:01:33 +0530, alok said:
> there was a comment from chris saying..."never possible to knw what networks
> an bgp customer uplinks via you" which is very true.. ..so i assume u mean
> non-bgp customers? loose or strict, rpf will not work for aasymterically
> connected bgp neig
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
> there was a comment from chris saying..."never possible to knw what
networks
> an bgp customer uplinks via you" which is very true.. ..so i assume u mean
> non-bgp customers? loose or strict, rpf will not work for aasymterically
> connected
On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote:
> there was a comment from chris saying..."never possible to knw what networks
> an bgp customer uplinks via you" which is very true.. ..so i assume u mean
> non-bgp customers? loose or strict, rpf will not work for aasymterically
> connected b
-
From: <[EMAIL PROTECTED]>
To: alok <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, November 08, 2002 12:41 AM
Subject: Re: Where is the edge of the Internet? Re: no ip
forged-source-address
> > I'm opposed to some of the suggestions where to put source
> > I'm opposed to some of the suggestions where to put source address
> > filters, especially placing them in "non-edge" locations. E.g. requiring
> > address filters at US border crossings is a *bad* idea, worthy of an
> > official visit from the bad idea fairy.
>
> What is bad about filtering
Ok, so I'll respond to one more of the messages I missed yesterday.
On Mon, 4 Nov 2002, Matt Buford wrote:
>
> On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > The only equipment I'm heard here which has serious issues related to
> > feature availability is the 12000 (which was never a particular
Sean puts this very nicely... I was away today so I missed the rest of the
traffic and looking it over alot of it was not relevant. I'll put in some
comments here though.
On Mon, 4 Nov 2002, Sean Donelan wrote:
>
> On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > What about the other large isps?
> I'm opposed to some of the suggestions where to put source address
> filters, especially placing them in "non-edge" locations. E.g. requiring
> address filters at US border crossings is a *bad* idea, worthy of an
> official visit from the bad idea fairy.
What is bad about filtering facing non-
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> The only equipment I'm heard here which has serious issues related to
> feature availability is the 12000 (which was never a particularly good
> aggregation device to begin with). RPF works fine on 7200, 7500, and
> 6500, from my experience. I've not u
> On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> > What about the other large isps? What would it take for you to do
> > something? Chris is gracious enough to show up and participate, at
> > least even if it does mean he has to wear nomex.
>
> I'm in favor of source address filtering at the edges
At 06:18 PM 11/4/2002, Sean Donelan wrote:
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> What about the other large isps? What would it take for you to do
> something? Chris is gracious enough to show up and participate, at
> least even if it does mean he has to wear nomex.
I'm in favor of sour
On Mon, 4 Nov 2002 [EMAIL PROTECTED] wrote:
> What about the other large isps? What would it take for you to do
> something? Chris is gracious enough to show up and participate, at
> least even if it does mean he has to wear nomex.
I'm in favor of source address filtering at the edges.
I'm oppos
22 matches
Mail list logo