asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think]

• Previous message (by thread): asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think]
• Next message (by thread): TCP/BGP vulnerability - easier than you think
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pekka Savola [mailto:pekkas at netcore.fi] 
> When discussing RPF towards peers or w/ asymmetric
> paths, I'd recommend to read RFC 3704

I have, this is a very good document.

> If your prefix filter stops a neighbor from
> advertising a prefix, maybe you would have to
> revise your prefix filtering policy (e.g.,
> revise it more often, get notice if the peer
> sends you something you're filtering, tell to
> peers not to advertise anythnig that's not
> properly in the routing DB's, etc.)?  This
> doesn't seem so bad to me...

I agree, but there are many people that think it is very bad. Trouble
is, using RPF has a great potential for problems as it will drop traffic
(which is the reason it's not being used in the first place). The point
I was trying to make is as follows: if you don't use RPF (which is
probably the case) then there is no harm in prefix-filtering peers (if
you are not a tier-1) even if the prefix-filters are not perfect.
Needless to say, there is no point prefix-filtering if your filters are
completely messed up.

Michel.

• Previous message (by thread): asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think]
• Next message (by thread): TCP/BGP vulnerability - easier than you think
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]