there was a comment from chris saying..."never possible to knw what networks
an bgp customer uplinks via you" which is very true.. ..so i assume u mean
non-bgp customers? loose or strict, rpf will not work for aasymterically
connected bgp neighbouring AS....
How does loose not work in this scenario?
If it's not in the global tables -at all-, it's not reachable, and
might as well be discarded.
--msa
If loose rpf doesn't work, you're about to start dropping packets *anyhow*.
Unless, of course, you *INTENDED* to have a topology where you're accepting
traffic from another AS and forwarding it, and you don't have a return path
yourself, but the destination *does* have an assymetric path.
Oh.. and you have to consider it acceptable that if any OTHER customer, connected
to that part of your AS that doesn't have a route, tries to contact the
source, that they can't get there.
Sounds like you're trying to either shoot yourself in the foot, or design a
new too-clever-by-half way of building a VPN.
there was a comment from chris saying..."never possible to knw what
networks
an bgp customer uplinks via you" which is very true.. ..so i assume u mean
non-bgp customers? loose or strict, rpf will not work for aasymterically
connected bgp neighbouring AS....
How does loose not work in this scenario?
If it's not in the global tables -at all-, it's not reachable, and
might as well be discarded.
------> the scenario is this... a BGP customer uplinks network a.b.c.d via
me, but advertises it via some place else (some other network he peers with)
and some other bgp peer/router to bring that traffic back into his AS...
this can also happen mainly due to BGP metrics blah blah....
now, essentially a.b.c.d can be anything...and he need not tell me what he
uplinks from me, all he tells me are the networks he downlinks via me so as
to tell me what routemaps to put with acls for bgp advertisements from
him......
infact people tend to use this very often (also a way of providing link
failure etc by multihoming) ..and they have the choice to uplink anything
from anywhere and downlink it from another location...they certainly dont
need to tell you what they uplink..as far as i know...
now the point is that if you use loose rfp here.... what are u filtering on?
you dont even know what he is uplinking to you...
i assume the subject is still DDoS attacks...using spoofed ips...
now when u dont know what he is uplinking from ur networks, how do u even
know what to block?
if u say "loose" simply means check if the entry for the network is there in
the routing table..then the entire internet is there in the routing
table...(thanks to bgp)....so it certainly work on bgp based "edges"
the other point u made about not reachable...well not reachaable from where?
from a ospf running node which uses 0.0.0.0 ? a lot of ones own networks etc
may not be reachable from there i guess...as they are covered in default
routes...
for a bgp running router...all valid internet addresses are "reachable" ,
for an ospf router....all is reachable either via 0.0.0.0, and if u remove
default any, it doesnt even know what the customer networks are.....so a lot
"isnt" reachable....
i think as was rightly defined...the edge is the place where the end
user/host gets onto the net...
Sounds like you're trying to either shoot yourself in the foot, or design a
new too-clever-by-half way of building a VPN.
It is called a one-way ip over satellite link to places like Australia, New
Zeland or Middle East. So it is not like we are talking about little bit of
traffic.
Alex
If loose rpf doesn't work, you're about to start dropping packets *anyhow*.
Unless, of course, you *INTENDED* to have a topology where you're accepting
traffic from another AS and forwarding it, and you don't have a return path
yourself, but the destination *does* have an assymetric path.
Oh.. and you have to consider it acceptable that if any OTHER customer,
connected
to that part of your AS that doesn't have a route, tries to contact the
source, that they can't get there.
Sounds like you're trying to either shoot yourself in the foot, or design a
new too-clever-by-half way of building a VPN.
------------>
take a simple scenario
AS-1 , AS-2 and AS-3 and as-4
AS-2 and as-3 in the middle, as-1 and as-4 multihome on them and are on
either side of as-2 and as-3..they dont peer with each other ...(though as-2
and as-3 mebbe)
as-1 advertises a network x.y.z.w via as-2 only.
as-4 sees this and knows that to go back to x.y.z.w he has to go via as-2
as-4 advertises a network a.b.c.d via as-3 only.... as-1 sees this too
traffic has to go between x.y.z.w and a.b.c.d
please tell me what symmetry u see here?...
and this doesnt happen on the net??
now what do u do in AS-2 and AS-3? if u say as-2 and as-3 will learn the
networks via as-1 and as-4 resp or by their own peering, then thats the
whole point....they know the "network" exists ..they dont know which set of
traffic goes via thm and which doesnt... coz u cant...u never know what
"source IP goes via you"...u know that it will be destined somewhere and u
will know the destination if all routing on the net is proper......thats
all...yo u may know the source too...but ur paath to the source wont be the
path from where the packet came to you from the source...
if what u mean by loose is "exist only" then yes on a bgp running router
probably the WHOLE INTERNET IS EXIST ONLY…that surely gives u enuf ips to
spoof with…?? how do u block by source???
you could only know that "frrom that link between as-1 and as-2 there will
be some traffic from a network IP of AS-1" etc...which still is a huge
network..enuf to spoof lots of IPs.....
jusst got a stinker from bdragon too.....mebbe i am dumb and you could do as
u please... im not questioning ur argument here...but i simply dont see
it...??
this is what i saw and i mentioned it....
-gudnite
Alok
Ahh.. but in your example, all 4 as have *SOME* route. So loose RPF would
still work.
Now let's consider this example:
AS-1 advertises to *ONLY* as-2, and as-3 filters as-2's announcement, so they
have *no* route to as-1. as-4 gets a route to as-1 via as-2. as-1 packets come
in to as-3 *anyhow* on their way to as-4, and return packets go 4-2-1. This
still works, as long as as-3 doesn't do loose-RPF because they'll drop the
packets due to lack of a route.
Of course, if any customer of as-3 wants to actually talk to as-1, you're
going to be opening a trouble ticket.