Where is the edge of the Internet? Re: no ip forged-source-address

• Previous message (by thread): Where is the edge of the Internet? Re: no ip forged-source-address
• Next message (by thread): Where is the edge of the Internet? Re: no ip forged-source-address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If loose rpf  doesn't work, you're about to start dropping packets *anyhow*.

Unless, of course, you *INTENDED* to have a topology where you're accepting
traffic from another AS and forwarding it, and you don't have a return path
yourself, but the destination *does* have an assymetric path.

Oh.. and you have to consider it acceptable that if any OTHER customer,
connected
to that part of your AS that doesn't have a route, tries to contact the
source, that they can't get there.

Sounds like you're trying to either shoot yourself in the foot, or design a
new too-clever-by-half way of building a VPN.



------------>

take a simple scenario
AS-1 , AS-2 and AS-3 and as-4

AS-2 and as-3  in the middle, as-1 and as-4 multihome on them and are on
either side of as-2 and as-3..they dont peer with each other ...(though as-2
and as-3 mebbe)

as-1 advertises a  network x.y.z.w  via as-2 only.
as-4 sees this and knows that to go back to x.y.z.w he has to go via as-2


as-4 advertises  a network a.b.c.d via as-3 only.... as-1 sees this too

traffic has to go between x.y.z.w and a.b.c.d

please tell me what symmetry u see here?...

and this doesnt happen on the net??

now what do u do in AS-2 and AS-3? if u say as-2 and as-3 will learn the
networks via as-1 and as-4 resp or by their own peering, then thats the
whole point....they know the "network" exists ..they dont know which set of
traffic goes via thm and which doesnt... coz u cant...u never know what
"source IP goes via you"...u know that it will be destined somewhere and u
will know the destination if all routing on the net is proper......thats
all...yo u may know the source too...but ur paath to the source wont be the
path from where the packet came to you from the source...


if what u mean by loose is "exist only" then yes on a bgp running router
probably the WHOLE INTERNET IS EXIST ONLY...that surely gives u enuf ips to
spoof with....?? how do u block by source?????????

you could only know that "frrom that link between as-1 and as-2 there will
be some traffic from a network IP of AS-1" etc...which still is a huge
network..enuf to spoof lots of IPs.....

jusst got a stinker from bdragon too.....mebbe i am dumb and you could do as
u please... im not questioning ur argument here...but i simply dont see
it...??

this is what i saw and i mentioned it....

-gudnite

Alok

• Previous message (by thread): Where is the edge of the Internet? Re: no ip forged-source-address
• Next message (by thread): Where is the edge of the Internet? Re: no ip forged-source-address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]