[61228] in North American Network Operators' Group
Re: Lazy Engineers and Viable Excuses
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Tue Aug 26 11:13:37 2003
Date: Tue, 26 Aug 2003 16:13:01 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Leo Bicknell <bicknell@ufp.org>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <20030826150312.GB33506@ussenterprise.ufp.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 26 Aug 2003, Leo Bicknell wrote:
> In a message written on Tue, Aug 26, 2003 at 10:43:00AM -0400, Jared Mauch wrote:
> > Yes I could, if you and your customers had all the routes
> > they sourced packest from registered. This has nothing to do
> > with routing 101, this has to do with filtering customers and
> > having anti-spoofing filters as well as route objects for any
> > prefix you will source packets from.
>
>
> ___T1 to Verio, With BGP____Verio______
> / \
> Customer UUnet
> \ /
> ---T1 to Sprint, No BGP-----Sprint-----
>
> Now, the customer, over their two T1 transit circuits does the
> following:
>
> as-path access-list 1 deny .*
>
> neighbor verio filter-list 1 in
>
> ip route 0.0.0.0 0.0.0.0 sprint
>
> Should the customer have to register a route with Sprint to make
> this work? How does UUNet, who only received a route from Verio,
> know incoming packets from Sprint aren't spoofed? Note also, even
> if these cases are in the IRR, UUNet's filter for Sprint will be
> larger than the number of routes currently received, since there is
> no route for this prefix that needs to be in the filter.
>
> [Note, I don't suggest this configuration is common or useful on
> its own, but rather it's a simple enough case it can be used for
> discussion in e-mail.]
Hmm this isnt a real world scenario tho.. if you multihome there should be BGP
on both paths..
In the example above Sprint arent accepting or sourcing a route so there is no
issue on routes being passed into Sprint or UUNET and we're talking here about
spoofing of routes not packets
Steve
