router worms and International Infrastructure
Matthew Crocker
matthew at crocker.com
Thu Sep 22 12:51:29 UTC 2005
>>
>> At your borders (upstream/peers), you will naturally block all of
>> 10/8
>> at egress.
>>
>
> my border is very broad and it's not feasible to use acls on all
> equipment
> that makes up that edge :( (for the sake of arguement, which is now
> far
> afield from the original question: "Feasible path won't stop someone
> spoofing space thats in my FIB, will it?"
>
The solution is a double border, possibly with VRF and inter-VRF
routing
Internal border sees 10/8 and 10/8 is in the FIB. 10/8 packets can
be spoofed here, Infrastructure connects her
External border doesn't see 10/8, 10/8 is NOT in the FIB, 10/8
packets can't be spoofed. Internet connects here.
Internal <-> External links use routable IP space to not infect
external with infrastructure routes.
External border cannot talk to infrastructure IPs but it doesn't need
to.
External can route through infrastructure to customer CPE
10/8 can still be spoofed on the infrastructure but it will have to
come from a customer, not from the Internet.
> Also, consider the cases where customers push packets your way (for
> uRPF
> strict, which isn't available for JunOS, but is for IOS depending on
> platform/code/hardware-rev... ugh!) and never send you a route for the
> traffic back to them? Maybe they are just a transit and don't even
> hear
> the routes for their customer who chose a 'cheaper' path that doesn't
> include them nor me directly on this link in question?
This sounds like a broken design. Why have one way links? If a
customer pushes packets my way and they don't announce that route to
me I will drop the packets at my edge. If they want to send me those
packets they need to announce. They can announce with AS path
prepend x 1000 so I don't send them any traffic but the route needs
to exist.
> "does urpf feasible path stop a 'customer' from spoofing sources
> that are
> in the FIB?"
No, but you don't use feasible path on links aimed at your customer,
you use strict. If your router doesn't support strict then talk to
your purchasing department.
--
Matthew S. Crocker
Vice President
Crocker Communications, Inc.
Internet Division
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com
More information about the NANOG
mailing list