"Justin W. Newton" <firstname.lastname@example.org>:
Actually what Justin was talking about is as follows...
Justin will only allow packets out of his border routers /to/ peers if they
are packets with a source address inside the ranges of addresses he
announces via BGP. I.e. if I announce 126.96.36.199 0.0.0.255 I would allow a
packet with an address of 188.8.131.52 out of my network into "the net at
large" but not if the packets source address was 184.108.40.206. I will allow
any packet which I allow to enter my network into a customer's network.
Their filtering is their problem.
... and the broken case I was talking about was (e.g.) where you announce
your AS-MACRO or whatever to peer routers A, B, C accross a NAP but
also annouce full routing (for say backup transit) to D. Let's say
for simplicity 220.127.116.11 is your only announcement to peers (small
network ). So you would have to filter outgoing packets to A-C
differently than those to D (as they might legitimately have source
addresses from within the internet at large and be destined for D).
You could do this on (say) IP address of next hop. But let's say D
transits B, and doesn't have next-hop-self switched on. Then packets from
source addresses from internet at large which were destined for B, which
would legitimately be passing out of your i/f towards B would get filtered.
Fine, so you could force them to use next-hop-self, or use the IP
address of the BGP peer concerned to do the filtering on. But this
wouldn't work with the RAs.
This is a problem whenever you are providing customer facing services
(in the broadest sense, i.e. transit) out of the same i/f as peer
services. OK, so you decide that *either* the source
or the destination address has to be within your 'peer' announcement
(i.e. the packet has to either be going to one of your networks
(in this case including D's who you are transitting) or coming
from one of your networks (also incl. D)). Well fine, but if
you blur the transit / peer distinction further we get down
to a situation where you are essentially routing on source address
as well as destination address. Not really very maintainable.