69/8...this sucks -- Centralizing filtering..

Russell Heilling russell at ccie.org.uk
Mon Mar 10 21:38:48 UTC 2003


On Mon, Mar 10, 2003 at 01:39:26PM -0600, Jack Bates wrote:
> 
> Oh, I agree that there are times when BGP is used in a single uplink
> scenario, but it is not common. However, someone pointed me to ip verify
> unicast source reachable-via any which seems to be available on some of the
> cisco Service provider releases. It's an interesting concept and I'm itching
> to play with it. If you aren't in my routing table, then why accept the IP
> address?

I've been using this method to do "loose source verification" for a while 
now, and it's certainly better than nothing, but it doesn't really do as 
much as it should when you only receive a partial table from a peer.  I've 
been toying with the idea of supporting strict reverse path verification 
on peering links by using vrfs.  It works really well in the Lab, but 
migrating the whole network into an MPLS VPN just to get some extra 
source filtering ability seems a little extreme to me for some reason... 
;)

It'd work really well if Cisco allowed the global table as a vrf
import/export target though.

-- 
Russell Heilling
http://www.ccie.org.uk
PGP: finger russellh at bela.homeunix.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030310/a84fc5fd/attachment.sig>


More information about the NANOG mailing list