BCP38 making it work, solving problems

Christopher L. Morrow christopher.morrow at mci.com
Tue Oct 12 14:17:34 UTC 2004


On Tue, 12 Oct 2004, Niels Bakker wrote:

>
> * christopher.morrow at mci.com (Christopher L. Morrow) [Tue 12 Oct 2004, 05:18 CEST]:
> > a common occurance we've seen is a customer of a customer NOT
> > announcing , nor planning on announcing, their routes to their
> > upstream#1 which they use ONLY for outbound traffic (cheap transit for
> > instance, and perhaps only for some portions of their total sources)
> > though they announce to upstreams#2-N the proper sources to gather the
> > return traffic. These things make uRPF 'difficult'.
>
> You could use uRPF-loose there, or the customer could do:
>
> !
> route-map outbound-only permit 10
>  match prefix-list myprefixes
>  set community no-export
> !

this does not address the problem, the customer's customer isn't
announcing routes for this traffic so there is nothing to no-export :(
Example:

the 'chris.net' network is a customer of MCI, his customer "bakker.net".
'bakker.net' decides 'chris.net' has priced transit cheaply this
year/month/day and choses not to accept traffic from 'chris.net' but send
all outbound traffic through 'chris.net'. 'chris.net' never seens routes
for the sources sending this traffic, yet passes it along to the upstream,
which also has no routes for 'bakker.net' via 'chris.net'.

Regardless, the point here is: "Things seem like they may be getting
better, as 'security' requirements are now firmly being included into new
equipment purchases."



More information about the NANOG mailing list