[53272] in North American Network Operators' Group
Re: Where is the edge of the Internet? Re: no ip forged-source-address
daemon@ATHENA.MIT.EDU (bdragon@gweep.net)
Thu Nov 7 14:12:14 2002
To: alok.dube@apara.com (alok)
Date: Thu, 7 Nov 2002 14:11:41 -0500 (EST)
Cc: nanog@nanog.org
In-Reply-To: <no.id> from "alok" at Nov 05, 2002 12:15:40 PM
From: <bdragon@gweep.net>
Errors-To: owner-nanog-outgoing@merit.edu
> > I'm opposed to some of the suggestions where to put source address
> > filters, especially placing them in "non-edge" locations. E.g. requiring
> > address filters at US border crossings is a *bad* idea, worthy of an
> > official visit from the bad idea fairy.
>
> What is bad about filtering facing non-customers, if loose rpf is
> used? I'm assuming this is what you mean by "border crossings" rather than
> the literal.
>
> --------->makes sense on the edge/aggregation but if you do it further up in
> the network.....there maybe some cases where we have assymetric routing,
> where the path of uplink is never the path the same as the downlink, and
> infact the source network of the packet may never be present in the routing
> table....(it is possible, after all its a packet switched network and the
> routing is destination IP based) ...
Right, which is why I specifically mentioned loose rpf, vs. strict rpf.
Even further up the customer chain, you'll still have a list of customer
networks (assuming folks are doing the right thing by filtering customer
bgp announcements) which could be used as an input to strict rpf.
