large BCP38 compliance testing

• Previous message (by thread): large BCP38 compliance testing
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Oct 2, 2014, at 6:23 PM, Jérôme Nicolle <jerome at ceriz.fr> wrote:

> 
> 
> Le 02/10/2014 12:28, Nick Hilliard a écrit :
>> It would probably be more productive to pressurise transit providers to
>> enforce bcp38 on their customer links.
> 
> This. But let me ask you, how many transit provider actually implement
> strict prefix-filtering ? I've seen many using a max-prefix as their
> sole defense.
> 
> Now, let's consider what you want is to match an interface ACL to
> prefixes received on a BGP session runing through the same interface.
> Ain't that what uRPF-strict is all about ?

uRPF Strict mode is NOT a tool to use on the transit connections. It was built for the SP-Customer connections. 

uRPF VRF mode _was_ built for the transit connections. You can take all the prefixes received from the peer and stick them into a VRF. You can then check all the incoming packet source addresses against that list. If there is no match, then it was not in the BGP advertisements. 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141002/ccbacb14/attachment.sig>

• Previous message (by thread): large BCP38 compliance testing
• Next message (by thread): large BCP38 compliance testing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]