large BCP38 compliance testing
Barry Greene
bgreene at senki.org
Thu Oct 2 11:29:04 UTC 2014
On Oct 2, 2014, at 6:23 PM, Jérôme Nicolle <jerome at ceriz.fr> wrote:
>
>
> Le 02/10/2014 12:28, Nick Hilliard a écrit :
>> It would probably be more productive to pressurise transit providers to
>> enforce bcp38 on their customer links.
>
> This. But let me ask you, how many transit provider actually implement
> strict prefix-filtering ? I've seen many using a max-prefix as their
> sole defense.
>
> Now, let's consider what you want is to match an interface ACL to
> prefixes received on a BGP session runing through the same interface.
> Ain't that what uRPF-strict is all about ?
uRPF Strict mode is NOT a tool to use on the transit connections. It was built for the SP-Customer connections.
uRPF VRF mode _was_ built for the transit connections. You can take all the prefixes received from the peer and stick them into a VRF. You can then check all the incoming packet source addresses against that list. If there is no match, then it was not in the BGP advertisements.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20141002/ccbacb14/attachment.sig>
More information about the NANOG
mailing list