Re: Where is the edge of the Internet?

["alok" <alok.dube () apara com>]

> they will charge you a whooping sum for that "picking places" bit ;o)
> ... i agree that  the best place to actually address such scenarios is the
> "backbone"/"peering points"/"borders" where all traffic is seen..rather
than
> go around tinkering at all edges..but i dont know how RPF would address
the
> assymetry there..  but at the edges...depolyment costs is a problem..i
> think...dont ask me if i have a better idea :o) i would be writing a paper
> if i did.....

i'd disagree with your choice of places:

backbone - the core is the last place i'd be putting filtering

peering points / borders  - the router needs a full table (asymmetry /
reachable-via any) and be beefy enough to handle the extra load of
filtering.

-----------> so its a hardware limitation?....bigger cores needed

the places to go after are (IMHO in this order):

- routers immediately upstream of dial-in pools, cable headends etc.etc.
  (strict filtering)
- routers aggregating customer circuits (strict filtering)
- peering / transit circuits (loose filtering)


----------> fair enuf...... 2 schools of thought, and ur idea makes sense
too... no denying that...but you have corner cases... which wont come up if
it could be in the core.....

> coz the destination network is there..... its still a viable config
> isnt it..incase of assymetric uplinks and downlinks? ......wht stops u
from
> "not having a route to the source" as routing  is destination IP based...
> some particular network may be covered with 0.0.0.0/0 for example and you
> may have no routing entry for it... or you could be having a customer who
> uplinks a particular network segment via your ISP, but doesnt advertise
his
> network to you as he actually downlinks that network from somewhere
> else...nothing to stop that  topology either.........right?

a default route is still a route (may need configuring "allow-default").

-----> well that covers everything doesnt it ;o)... even those not in ur
network..does it actually ping and check to see if its there?

i don't think you grasp the idea of "reachable-via any" which allows you to
filter only if there is no route for the source address in the entire table,
allowing for asymmetry in the network.

--------------> do u inject BGP into IGP? ....do all access boxes have the
entire BGP table/or know every address/network on the internet?


if the router can't return a response or icmp packet to the source, why
bother with the packet. if the router doesn't have a full table and no
default route then it just isn't a smart place to filter (and a very extreme
corner case).

------> most access would be the corner cases... i have cases where tier-2
ISPs would simply take a 3 Mb uplink from 1 service provider and a fat
downlink from another (ISP-2) ...all the BGP routes/advertisements would be
in the 2nd ISPs networks, ISP 1 has no idea what this guys address range is
at the access is... this is a common mechanism lots of tier-2 ISPs would
apply......

okie...does RPF actually ping and check if there is "indeed" a way to get to
the destination purely via IGP (to indicate it is in the same AS as it is a
spoofed IP)?..again note, purely via IGP....not BGP..(again not a 0.0.0.0/0
crossing to another AS)

if you anyway knew the network so well, a better way would be to use route
filters in bgp (access list in) if u any way knew the customers network
range  and  for no BGP customers, simple filters  at edge points without RPF
would put the same overhead i guess....