[127252] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (Steve Bertrand)
Fri Jun 18 08:37:50 2010
Date: Fri, 18 Jun 2010 08:37:24 -0400
From: Steve Bertrand <steve@ipv6canada.com>
To: William Herrin <bill@herrin.us>
In-Reply-To: <AANLkTildxHa3Ct9NjHU-dyKStXLe1XjD9SNG49e8k30J@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2010.06.17 17:10, William Herrin wrote:
> On Thu, Jun 17, 2010 at 12:38 AM, Roy <r.engehausen@gmail.com> wrote:
>> On 6/16/2010 7:43 PM, Jon Lewis wrote:
>>> With a larger
>>> network, multiple IP blocks, ***numerous multihomed customers***, some of which
>>> use IP's we've assigned them, it gets a little more complicated to do.
>>> I could reject at our border, packets sourced from our IP ranges with
>>> exceptions for any of the IP blocks we've assigned to multihomed customers.
>>
>> Sounds like a good use of URPF.
>
> Reverse path filtering + asymmetric routing = epic fail. Jon did say
> Multihomed customer.
What RPF can do in this case though, is pro-actively prevent possible
future problems.
If all IP blocks are tied down to null, and urpf is enabled in loose
mode on an interface, it will catch cases where someone is sourcing
traffic to you using IPs from the unassigned space that you have in your
free pools.
Every month or so I re-route my blackholed traffic to a sinkhole, and
more often than not, I see some ingress traffic from my unassigned space.
Steve
