[69953] in North American Network Operators' Group
RE: asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think]
daemon@ATHENA.MIT.EDU (Michel Py)
Thu Apr 22 10:39:37 2004
Date: Thu, 22 Apr 2004 07:38:50 -0700
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "Pekka Savola" <pekkas@netcore.fi>
Cc: "Aditya" <aditya@grot.org>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
From: Pekka Savola [mailto:pekkas@netcore.fi]=20
> When discussing RPF towards peers or w/ asymmetric
> paths, I'd recommend to read RFC 3704
I have, this is a very good document.
> If your prefix filter stops a neighbor from
> advertising a prefix, maybe you would have to
> revise your prefix filtering policy (e.g.,
> revise it more often, get notice if the peer
> sends you something you're filtering, tell to
> peers not to advertise anythnig that's not
> properly in the routing DB's, etc.)? This
> doesn't seem so bad to me...
I agree, but there are many people that think it is very bad. Trouble
is, using RPF has a great potential for problems as it will drop traffic
(which is the reason it's not being used in the first place). The point
I was trying to make is as follows: if you don't use RPF (which is
probably the case) then there is no harm in prefix-filtering peers (if
you are not a tier-1) even if the prefix-filters are not perfect.
Needless to say, there is no point prefix-filtering if your filters are
completely messed up.
Michel.
