Is it time to abandon bogon prefix filters?

• Previous message (by thread): Is it time to abandon bogon prefix filters?
• Next message (by thread): Is it time to abandon bogon prefix filters?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pekka Savola wrote:
> On Tue, 19 Aug 2008, Kevin Loch wrote:
>>>      While you're at it, you also placed the reachable-via rx on
>>>  all your customer interfaces.  If you're paranoid, start with the 'any'
>>>  rpf and then move to the strict rpf.  The strict rpf also helps with
>>>  routing loops.
>>
>> Be careful not to enable strict rpf on multihomed customers.  This 
>> includes
>> any bgp customer unless you know for sure they are single homed to you 
>> and that will not
>> change.
> 
> Strict uRPF (feasible paths variant, RFC3704) works just fine with 
> multihomed customers here.
> 
> But we don't allow TE more specifics either from the customer or from 
> peers, so the longest prefix matching doesn't get messed up.  And with 
> certain kind of p2p link numbering, you may need to add a dummy static 
> route.  But it works.

It doesn't look like the feasible paths rpf handles the situation where
your bgp customer is not announcing all or any of their prefixes to you.
This can be done for TE or debugging an inbound routing
issue.  Announcing prefixes to me and then blackholing the traffic
is not something I would appreciate as a customer.

If you do this (or strict rpf) on BGP customers at least warn them up front
that if they ever stop announcing prefixes to you then traffic they send
you will get dropped.

- Kevin

• Previous message (by thread): Is it time to abandon bogon prefix filters?
• Next message (by thread): Is it time to abandon bogon prefix filters?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]