Re: NSPs filter?

[Jared Mauch <jared () puck Nether net>]

On Mon, Aug 05, 2002 at 12:39:08PM -0400, Richard A Steenbergen wrote:
> On Mon, Aug 05, 2002 at 11:59:04PM +0800, Barry Raveendran Greene wrote:
> > We already have BCP 38, which strongly recommends packet filtering on the
> > customer-ISP edge. There are now two major vendors who have strict mode
> > uRPF. This which covers 80% of the BCP 38 packet filtering on the
> > customer-ISP edge. With a few BGP config tweaks, strict mode uRPF can cover
> > a lot of the last 20% (all those multihomed customers).
>
> Except vendor J doesn't spend much time at the customer edge, and vendor F 
> seems to think that you should do per-interface RPF with acl's.
>
> Also, vendor J's implementation of loose mode is significantly different
> from everyone elses. It seems they mean "is it feasible for this src ip to
> be routed to this interface regardless or route selection", not "it is
> feasible for this src ip to be routes to any interface on the box". Or to
> put it another way, say you peer with someone who sends you 5000 routes,
> but you only accept 4000 as best-path. If you feasible filter it, you'll
> be allowing src IPs from those 5000 prefixes, not from all 100k+ on the
> box. While this is potentially a neat feature, it isn't the same as true
> "loose".

        Juniper I believe is working on a "super-loose" check which
will mimick the cisco behaviour.  As always, check with your vendor
for more detailed information, etc..

> Between that and only being able to set strict or feasible for the entire 
> box and not per-interface, I'd say vendor J's implementation is almost 
> completely useless at this point.

        Their 'loose' is interesting only in the case of customer
interfaces and not so interesting in the network core.  Also
I seem to recall that it's a global option currently.

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.