[52674] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that smell?)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Oct 8 12:19:38 2002
Date: Tue, 8 Oct 2002 12:15:05 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Jeff Aitken <jaitken@aitken.com>
Cc: Jared Mauch <jared@puck.Nether.net>,
Danny McPherson <danny@tcb.net>, nanog@merit.edu
In-Reply-To: <20021008160955.GA68448@hawk.aitken.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Oct 08, 2002 at 12:09:56PM -0400, Jeff Aitken wrote:
> On Tue, Oct 08, 2002 at 11:49:41AM -0400, Jared Mauch wrote:
> > > Of course, this is the IP RIB and may not include all the
> > > potential paths in the BGP Adj-RIBs-In, right? As such,
> > > you've still got the potential for asymmetric routing to
> > > break things.
> >
> > No, this is "if i have a path in fib" back to this source,
> > transmit else drop;
>
> Unless I'm missing something, that's what he said; fib == loc-rib
> for the purposes of this discussion, and loc-rib is built from the
> various adj-ribs-in.
Correct, but it is not doing a check to see if it's returnable
via the interface it came in, just if it's returnable at all.
As the fib/rib is built off of the adj-rib-in (minus filtering
and local policy), and the check on the cisco validates against
the CEF (fib) table on the Linecard (or centralized CPU in the
case of non-[fully-]distributed platforms) i wanted to clarify the
check that is performed.
> That said, I'm curious to know how asymmetric routing can break
> this. As long as someone is sending (and you are installing) a
> prefix that includes the source address this check will pass.
> If you don't have a route back to the source at all, that isn't
> asymmetric routing, it's network partitioning, assuming the source
> is legitimate.
Exactly. If I can't reach you, I don't want to
have my hosts or routers spend more time than is necessary
dealing with your requests.
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
