BCP 38 addendum

• Previous message (by thread): BCP 38 addendum
• Next message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey,

> This is exactly my idea : why should I allowed uRPF passing traffic from
> routes not learned on this port ?? Why if I have Cogent + Level3 and I
> denied ^3356_174 and ^174_3356 AS pathes for logical reasons, I should get
> spoofed traffic from Level3 ranges over Cogent peering port ? That's just
> silly this kind of mode doesn't exist in uRPF ...
>
> I'm aware it's due to hardware limitation, because uRPF look into FIB, not
> BGP Table or RIB, but that could help denying spoofed traffic that comes
> over transit tier 1 because the BCP38 to the downstreams are not in place,
> or not automatic (I'm still thinking why Level3 as an IRR and do use it for
> filtering downstreams ...)

I'm not at all sure what you are trying to say, but in many platforms
you can write 'hints' to HW based on BGP communities or AS PATH and
then use these 'hints' in ACL. Simplified view could be that you're
matching AS_PATH on ACL.

However if I understood your scenario right, I don't think what you
propose is fixing any spoofing issues in your scenario. Only
antispooffing that makes sense towards your transit provider is
dropping your own source addresses.

Some vendors also support 'strict feasible' which is essentially RIB
instead of FIB match (But technically obviously not RIB, it's just HW
gets more information about 'feasible' paths).

>> There is much cheaper feature which has worked for decades which
>> applies better to this problem. While you generate list of prefixes
>> ISP2 COULD announce to you, that includes the prefix ISP3 is NOT
>> announcing, but COULD. The same prefix-list you use for BGP
>> announcements use in your ACL.
>
> Yeah agreee, but not usable and programmable regarding huge upstreams values
> (over 100, I know hw even for smaller values that will say "my ASIC is
> limited man").

Similarly it's easy to find device which can't hold DFZ in FIB, but
you wouldn't buy that device as your edge box. Usually the really
cheap and dense boxes are not edge capable anyhow, due to poor
control-plane protection, and all proper edge boxes have large ACLs,
in what I view perfectly affordable prices from Juniper, Nokia, Huawei
and Cisco. Maybe 20-30k for few 100GE and what have you, likely not
significant 5 year TCO on the actual company wide bottom line.


-- 
  ++ytti

• Previous message (by thread): BCP 38 addendum
• Next message (by thread): New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]