Todd Underwood was a little late

Steve Bertrand steve at ipv6canada.com
Fri Jun 18 07:37:24 CDT 2010


On 2010.06.17 17:10, William Herrin wrote:
> On Thu, Jun 17, 2010 at 12:38 AM, Roy <r.engehausen at gmail.com> wrote:
>> On 6/16/2010 7:43 PM, Jon Lewis wrote:
>>>  With a larger
>>> network, multiple IP blocks, ***numerous multihomed customers***, some of which
>>> use IP's we've assigned them, it gets a little more complicated to do.
>>> I could reject at our border, packets sourced from our IP ranges with
>>> exceptions for any of the IP blocks we've assigned to multihomed customers.
>>
>> Sounds like a good use of URPF.
> 
> Reverse path filtering + asymmetric routing = epic fail. Jon did say
> Multihomed customer.

What RPF can do in this case though, is pro-actively prevent possible
future problems.

If all IP blocks are tied down to null, and urpf is enabled in loose
mode on an interface, it will catch cases where someone is sourcing
traffic to you using IPs from the unassigned space that you have in your
free pools.

Every month or so I re-route my blackholed traffic to a sinkhole, and
more often than not, I see some ingress traffic from my unassigned space.

Steve




More information about the NANOG mailing list