[161918] in North American Network Operators' Group
Re: BCP38 - Internet Death Penalty
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu Mar 28 12:20:07 2013
Date: Thu, 28 Mar 2013 09:19:53 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAP-guGW98zcJ=nXmnETe1_rmOPpBK1ExN-7p32bkTirMsv47fg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Thu, Mar 28, 2013 at 11:39:45AM -0400, William Herr=
in wrote:
> "Single homed stub site" is not a configuration option in any BGP
> setup I'm aware of, so how would the router select RPF as the default
> for a single-homed stub site?
I'm not sure if this is what the OP was talking about or not, but
it reminded me of a feature I have wanted in the past.
If you think about a simple multi-homing situation where a person
has their own IP space, their own ASN, and connects to two providers
they will announce all of their routes to both providers. They may
in fact do prepending, or more specifics such that one provider is
preferred, but to get full redundancy all of their blocks need to
go to both providers.
uRPF _strict_ only allows traffic where the active route is back
out the interface. There are a number of cases where this won't
be true for my simple scenario above (customer uses a depref
community, one ISP is a transit customer of the other being used
for multi-homing, customer has more than one link to the same ISP
and uses prepending on one, etc). As a result, it can't be applied.
uRPF _loose_ on the other hand only checks if a route is in the
table, and with the table rapidly approaching all of the IP space
in use that's denying less and less every day.
The feature I would like is to set the _packet filter_ based on the
_received routes_ over BGP. Actually, received routes post prefix list.
Consider this syntax:
neighbor 1.2.3.4 install-dynamic-filter Gig10/1/2 prefix-list customer-pre=
fixes
Anything that was received would go through the prefix-list
customer-prefixes (probably the same list used to filter their
announcements), and then get turned into a dynamic ACL applied to
the inbound interface (Gig10/1/2 in this case).
I suspect such a feature would allow 99.99% of the BGP speakers to be
"RPF" filtered in a meaningful way, automatically, where uRPF strict is
not usable today.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBUVRtqbN3O8aJIdTMAQLeSQ/9EF+z9XstRqnvCSAsL2uLeYoWcFr4ahAL
MT+vLOgTnMB8cClnHrjSyoIVxh4UpLCKOcLfnlsNqSz7gEmDOF+uYa1GNVG+3fpz
osktcI1HYd+/p54x3yHPoIk0K+H8tqbQ1Wb0RAzPKQmfbgI6UxKIi90EornnSRJ9
v1B+ExzzANp59ieXDlboyZJMhjWWew3oFlK+1xuehdGq+PfjxEXnyX6KxXnH+nF8
j6+BekKF0vM/AsyuJOPJWoK+rvb0prblAZbWUqSWfAontsfBZ9uj11A7MDEshv1q
aMGB0FGzae/XhY6iTulcRMTFc2/8bgOKJEW5DWs7gWLOx8E5Ou16pBeZZffUD2VI
k9cvwVVpaMV3QfZ8Ga5BqiwnHzNi485nOmSblpbvtxXf57S/ux8X/hCap9WlmqrL
mnVGww/8FiEsBBdajsHFeS9cHpK0MF6XGU2k8HFWWGCZV1izBVfJgLDMm5Pu5ObX
9ajzdFhZWanMYBZMkCKKZw05i1IztKP/Egiio79hT2TvtstjjtqXLMwyscDDhy7G
OiYrdYQ2vY2xJOiGtBus3qxiIAepofMfTCZABEn7anvkpTIHgKYp681/uiq47Vsu
zxZla5ibljQl/A0oExTlhv8460TCNuAk24ViFof45wDAT0OjvKw6V7b9lUN1S57Y
XXdqndlnzNU=
=I1Ef
-----END PGP SIGNATURE-----
--2fHTh5uZTiUOsy+g--
