BCP 38 addendum

• Previous message (by thread): BCP 38 addendum
• Next message (by thread): BCP 38 addendum
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

How would this work?


ISP1--ISP2---ISP3
|                        |
+-------ISP4-----+

In case poor rendering ISP1 connects to ISP2, ISP4 and ISP3 connects
to ISP2, ISP4

- ISP3 receives ISP1 prefixes via ISP[24]
- ISP3 advertises its prefix out via ISP4

ISP1 will receive traffic from ISP3 through ISP2, and that is not in
the eBGP session, so prefix gets dropped.


Internet is symmetric and people don't advertise consistently, so
while maybe undesirable above stuff does happen. It's not obvious to
me what this eBGP-routes-in-VRF and RPF-to-VRF would solve, which use
case does it address which is not addressed by existing tooling.


There is much cheaper feature which has worked for decades which
applies better to this problem. While you generate list of prefixes
ISP2 COULD announce to you, that includes the prefix ISP3 is NOT
announcing, but COULD. The same prefix-list you use for BGP
announcements use in your ACL.


On 6 March 2018 at 23:16, Fabien VINCENT (NaNOG) <list-nanog at beufa.net> wrote:
> Le 2018-03-06 19:39, Barry Greene a écrit :
>
>>> On Mar 2, 2018, at 1:53 PM, Fabien VINCENT (NaNOG) <list-nanog at beufa.net> wrote:
>>> Hope one day the 3rd mode of uRPF will be something else than a plan ...
>>> uRPF is not very usefull when multi homed. And as far as I know, multi
>>> homed networks are increasing as fast as PNI development ;)
>>
>> This was working microcode code when I left in 2008. Several operators tested, but none deployed (no pushing or pulling).
>
> Yep,  but saw only reference of it, but no real CLI implementation
> (especially on Cisco), so I guess it's not a killer feature to sell
> routers ;)
>
> In 2005 :
> https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf
>
> "A third phase is currently under way that will create a way to have
> strict enforcement of the uRPF check on individual ISP-ISP edges. Here,
> external BGP (eBGP) peer sessions will send specific prefixes to a
> dedicated Virtual routing and forwarding (VRF) table. This will allow
> uRPF to query the VRF table that contains all the routes for that
> specific eBGP peering session over the interface, thus verifying
> (authorizing) the source addresses of packets matching the advertised
> routes from the peered ISP"
>
> That's obviously not so sexy, but I guess the problem is on hardware
> performance, as the prefer method should to have a look on BGP tables,
> and uRPF is done on FIB / ASIC level. Sadly, seems not possible right ?
>
> --
> FABIEN VINCENT
> _ at beufanet_



-- 
  ++ytti

• Previous message (by thread): BCP 38 addendum
• Next message (by thread): BCP 38 addendum
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]