Who does source address validation? (was Re: what's that smell?)

Danny McPherson danny at tcb.net
Tue Oct 8 16:15:28 UTC 2002



> "reachable-via any" means you're only going to drop the packet if you
> don't have *ANY* route back to them. 

What's a route?  An IP RIB instance?  A BGP Loc-RIB instance?  An IGP LSDB
IP prefix entry?  A BGP Adj-RIB-In instance?

I think you mean "if you don't have *ANY* **FIB** entry for the 
source address".

If I peer with two large providers on the same router and both 
have prefix D.1 behind them and advertise the prefix to me, it's
likely that only one of those two paths is going to make it into 
the BGP Loc-RIB (and subsequently, the IP RIB then FIB).  

If I use ANY FIB entry as proof that it's a valid source then 
that only addresses RFC1918ish space and only suggest that I 
first need to generate an invalid BGP route for the prefix, then 
spoof the packets.  This doesn't fix spoofing with global IP
addresses.

If I use only entries that occur in the RIB and associate them 
with the receiving interface and receive a packet with an SA of 
D.1 from the peer whose path wasn't installed in the BGP 
Loc-RIB then I'll drop it.  (And there's nothing broken with 
this configuration -- it's why we have routers with 1 million 
BGP paths but only 150K routes/fib entries, as I'm sure you 
know).

If you're going to do source address validation then you need 
to associated all potential valid paths for a given prefix with 
the associated ingress interface, else it's mostly useless.

-danny





More information about the NANOG mailing list