[61229] in North American Network Operators' Group
Re: Lazy Engineers and Viable Excuses
daemon@ATHENA.MIT.EDU (Matt Levine)
Tue Aug 26 11:29:56 2003
In-Reply-To: <Pine.LNX.4.44.0308261610430.8378-100000@MrServer>
Cc: Leo Bicknell <bicknell@ufp.org>, NANOG <nanog@merit.edu>
From: Matt Levine <matt@deliver3.com>
Date: Tue, 26 Aug 2003 11:29:17 -0400
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
On Tuesday, August 26, 2003, at 11:13 AM, Stephen J. Wilcox wrote:
>
>
> On Tue, 26 Aug 2003, Leo Bicknell wrote:
>
>> In a message written on Tue, Aug 26, 2003 at 10:43:00AM -0400, Jared
>> Mauch wrote:
>>> Yes I could, if you and your customers had all the routes
>>> they sourced packest from registered. This has nothing to do
>>> with routing 101, this has to do with filtering customers and
>>> having anti-spoofing filters as well as route objects for any
>>> prefix you will source packets from.
>>
>>
>> ___T1 to Verio, With BGP____Verio______
>> / \
>> Customer UUnet
>> \ /
>> ---T1 to Sprint, No BGP-----Sprint-----
>>
>> Now, the customer, over their two T1 transit circuits does the
>> following:
>>
>> as-path access-list 1 deny .*
>>
>> neighbor verio filter-list 1 in
>>
>> ip route 0.0.0.0 0.0.0.0 sprint
>>
>> Should the customer have to register a route with Sprint to make
>> this work? How does UUNet, who only received a route from Verio,
>> know incoming packets from Sprint aren't spoofed? Note also, even
>> if these cases are in the IRR, UUNet's filter for Sprint will be
>> larger than the number of routes currently received, since there is
>> no route for this prefix that needs to be in the filter.
>>
>> [Note, I don't suggest this configuration is common or useful on
>> its own, but rather it's a simple enough case it can be used for
>> discussion in e-mail.]
>
> Hmm this isnt a real world scenario tho.. if you multihome there
> should be BGP
> on both paths..
>
> In the example above Sprint arent accepting or sourcing a route so
> there is no
> issue on routes being passed into Sprint or UUNET and we're talking
> here about
> spoofing of routes not packets
In a real world scenario, I bumped into Verio's RPF peer filters
yesterday.
Due to the large outage at 200 paul, the /19 that one of my /24's is
out of went away. Obviously due to prefix filtering policies, verio
didn't have my /24. I had several people complain who were multihomed,
and did have the /24 from their other carrier(s). Unfortunately, my
best path to these customers was via verio, who's rpf promptly blocked
my return traffic :(
>
> Steve
>
>
--
Matt Levine <matt@deliver3.com>
"The Trouble with doing anything right the first time is that nobody
appreciates how difficult it was." -BIX
