Lazy Engineers and Viable Excuses

• Previous message (by thread): Lazy Engineers and Viable Excuses
• Next message (by thread): Max TNT ping thing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday, August 26, 2003, at 11:13 AM, Stephen J. Wilcox wrote:

>
>
> On Tue, 26 Aug 2003, Leo Bicknell wrote:
>
>> In a message written on Tue, Aug 26, 2003 at 10:43:00AM -0400, Jared 
>> Mauch wrote:
>>> 	Yes I could, if you and your customers had all the routes
>>> they sourced packest from registered.  This has nothing to do
>>> with routing 101, this has to do with filtering customers and
>>> having anti-spoofing filters as well as route objects for any
>>> prefix you will source packets from.
>>
>>
>>          ___T1 to Verio, With BGP____Verio______
>>         /                                       \
>> Customer                                         UUnet
>>         \                                       /
>>          ---T1 to Sprint, No BGP-----Sprint-----
>>
>> Now, the customer, over their two T1 transit circuits does the
>> following:
>>
>> as-path access-list 1 deny .*
>>
>> neighbor verio filter-list 1 in
>>
>> ip route 0.0.0.0 0.0.0.0 sprint
>>
>> Should the customer have to register a route with Sprint to make
>> this work?  How does UUNet, who only received a route from Verio,
>> know incoming packets from Sprint aren't spoofed?  Note also, even
>> if these cases are in the IRR, UUNet's filter for Sprint will be
>> larger than the number of routes currently received, since there is
>> no route for this prefix that needs to be in the filter.
>>
>> [Note, I don't suggest this configuration is common or useful on
>> its own, but rather it's a simple enough case it can be used for
>> discussion in e-mail.]
>
> Hmm this isnt a real world scenario tho.. if you multihome there 
> should be BGP
> on both paths..
>
> In the example above Sprint arent accepting or sourcing a route so 
> there is no
> issue on routes being passed into Sprint or UUNET and we're talking 
> here about
> spoofing of routes not packets

In a real world scenario, I bumped into Verio's RPF peer filters 
yesterday.

Due to the large outage at 200 paul, the /19 that one of my /24's is 
out of went away.  Obviously due to prefix filtering policies, verio 
didn't have my /24.  I had several people complain who were multihomed, 
and did have the /24 from their other carrier(s).  Unfortunately, my 
best path to these customers was via verio, who's rpf promptly blocked 
my return traffic :(




>
> Steve
>
>
--
Matt Levine <matt at deliver3.com>
"The Trouble with doing anything right the first time is that nobody 
appreciates how difficult it was."  -BIX

• Previous message (by thread): Lazy Engineers and Viable Excuses
• Next message (by thread): Max TNT ping thing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]