router worms and International Infrastructure

• Previous message (by thread): router worms and International Infrastructure
• Next message (by thread): router worms and International Infrastructure
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>
>> At your borders (upstream/peers), you will naturally block all of  
>> 10/8
>> at egress.
>>
>
> my border is very broad and it's not feasible to use acls on all  
> equipment
> that makes up that edge :( (for the sake of arguement, which is now  
> far
> afield from the original question: "Feasible path won't stop someone
> spoofing space thats in my FIB, will it?"
>

The solution is a double border,  possibly with VRF and inter-VRF  
routing

Internal border sees 10/8 and 10/8 is in the FIB.  10/8 packets can  
be spoofed here,  Infrastructure connects her
External border  doesn't see 10/8,  10/8 is NOT in the FIB,  10/8  
packets can't be spoofed.  Internet connects here.

Internal <-> External links use routable IP space to not infect  
external with infrastructure routes.
External border cannot talk to infrastructure IPs but it doesn't need  
to.
External can route through infrastructure to customer CPE

10/8 can still be spoofed on the infrastructure but it will have to  
come from a customer, not from the Internet.

> Also, consider the cases where customers push packets your way (for  
> uRPF
> strict,  which isn't available for JunOS, but is for IOS depending on
> platform/code/hardware-rev... ugh!) and never send you a route for the
> traffic back to them? Maybe they are just a transit and don't even  
> hear
> the routes for their customer who chose a 'cheaper' path that doesn't
> include them nor me directly on this link in question?


This sounds like a broken design.  Why have one way links?  If a  
customer pushes packets my way and they don't announce that route to  
me I will drop the packets at my edge.  If they want to send me those  
packets they need to announce.  They can announce with AS path  
prepend x 1000 so I don't send them any traffic but the route needs  
to exist.

> "does urpf feasible path stop a 'customer' from spoofing sources  
> that are
> in the FIB?"

No,  but you don't use feasible path on links aimed at your customer,  
you use strict.  If your router doesn't support strict then talk to  
your purchasing department.

--
Matthew S. Crocker
Vice President
Crocker Communications, Inc.
Internet Division
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com

• Previous message (by thread): router worms and International Infrastructure
• Next message (by thread): router worms and International Infrastructure
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]