[50591] in North American Network Operators' Group
RE: NSPs filter?
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Mon Aug 5 13:51:38 2002
Date: Mon, 5 Aug 2002 21:46:56 +0300 (IDT)
From: Hank Nussbacher <hank@att.net.il>
To: Barry Raveendran Greene <bgreene@cisco.com>
Cc: nanog@merit.edu
In-Reply-To: <LNEHJBNJAPFNLEGJHCPEMELOIAAA.bgreene@cisco.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 5 Aug 2002, Barry Raveendran Greene wrote:
> But, what if you could "strict mode" packet filter on the ISP-ISP side? Lets
> say there was a dynamic uRPF filter that checked the source addresses
> against the eBGP routes coming into a link. In other words, if the source
> address from an ISP does not match the eBGP prefixes coming across from the
> peer, the packet would drop. So if some /8 prefixes are filtered on the eBGP
> side, they would get dropped on the ISP-ISP peering interface. For example,
> if I only send routes from AS X, then any packet whose source address is
> outside of AS X (say from AS Y) would not pass the uRPF check - resulting in
> a drop. Since this is based on the dynamics of the eBGP prefixes coming
> across the peering session, it would allow a "strict mode like" uRPF packet
> filtering on the ISP-ISP edge (with all the asymmetry found on the ISP-ISP
> edge).
How would this work for BGP Conditional Advertisement as per page 118 of
"Cisco ISP Essentials?"
:-)
Hank
>
> The question is whether this is something people would want as an option. A
> uRPF mode that would enforce a peering agreement with dynamic packet
> filtering (dynamic is based on the eBGP advertisements that get throughthe
> peering filter).
>
> Barry
>
