router worms and International Infrastructure
Christopher L. Morrow
christopher.morrow at mci.com
Thu Sep 22 15:10:13 UTC 2005
On Thu, 22 Sep 2005, Matthew Crocker wrote:
<snip making networking more complicated than required>
>
> > Also, consider the cases where customers push packets your way (for
> > uRPF
> > strict, which isn't available for JunOS, but is for IOS depending on
> > platform/code/hardware-rev... ugh!) and never send you a route for the
> > traffic back to them? Maybe they are just a transit and don't even
> > hear
> > the routes for their customer who chose a 'cheaper' path that doesn't
> > include them nor me directly on this link in question?
>
>
> This sounds like a broken design. Why have one way links? If a
I didn't say I endorsed it, just that it happens, often. It's not a one
way link either, the link may have thousands of routes advertised up it,
just not a few key ones which are sources of traffic.
Like I said earlier this morning, I have no idea why customers don't just
send a prepended-to-hell route along this path for backup, but they
don't... often.
> customer pushes packets my way and they don't announce that route to
> me I will drop the packets at my edge. If they want to send me those
and you are breaking them... that's bad.
> packets they need to announce. They can announce with AS path
> prepend x 1000 so I don't send them any traffic but the route needs
> to exist.
Sure, and every customer knows bgp/route-maps/policy as well as you... my
point wasn't that it was a good or bad thing, just that it is.
>
> > "does urpf feasible path stop a 'customer' from spoofing sources
> > that are
> > in the FIB?"
>
> No, but you don't use feasible path on links aimed at your customer,
great now we have conflicting answers :) perhaps I'll ask on j-nsp for
clarification.
> you use strict. If your router doesn't support strict then talk to
> your purchasing department.
The problem isn't the router, it's the cards in the router often :( Also,
it's supposed to work according to the vendor, until you test and verify
it doesn't :( doh! hint, don't by Engine-3 cards for your 12000's unless
you don't care about urpf strict.
hurray!
More information about the NANOG
mailing list