[107017] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Pekka Savola)
Wed Aug 20 01:24:58 2008
Date: Wed, 20 Aug 2008 08:24:35 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: Kevin Loch <kloch@kl.net>
In-Reply-To: <48AAE836.5050002@kl.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, 19 Aug 2008, Kevin Loch wrote:
>> While you're at it, you also placed the reachable-via rx on
>> all your customer interfaces. If you're paranoid, start with the 'any'
>> rpf and then move to the strict rpf. The strict rpf also helps with
>> routing loops.
>
> Be careful not to enable strict rpf on multihomed customers. This includes
> any bgp customer unless you know for sure they are single homed to you and
> that will not
> change.
Strict uRPF (feasible paths variant, RFC3704) works just fine with
multihomed customers here.
But we don't allow TE more specifics either from the customer or from
peers, so the longest prefix matching doesn't get messed up. And with
certain kind of p2p link numbering, you may need to add a dummy static
route. But it works.
For more see especially Section 3 of:
http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt
(comments are also welcome.)
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
