nanog mailing list archives

Re: BCP38 For BGP Customers

From: Grant Taylor via NANOG <nanog () nanog org>
Date: Tue, 8 Nov 2022 09:40:37 -0700

On 11/8/22 6:28 AM, Douglas Fischer wrote:

I also have this concern about Spoofing coming from Downstreams.

+1

And after a lot of struggle I can say that using uRPF in strict mode perinterface doing FIB lookup is not a good idea!

Maybe it's the lack of caffeine, but would someone please remind /enlighten me as to why uRPF is a bad idea on downstream interfaces?

N.B. Maybe I'm thinking more a varient of uRPF wherein if I have a routeto the source from the interface in question. Thus not uRPF-strict(active route) nor uRPF-loose (route on any interface).

I've spent a lot of time wrestling with this issue, and the measurementthat matters most, which are support tickets, doesn't show good results.


Will you please share a high level of what the technical problems are?

The best option I've found so far?
It is to use the same Prefix-List that you use to release the routesaccepted in the BGP session in a Filter Policy applied in the interfacewith the Downstream.Another important point to note is that you MUST NOT drop everythingelse that doesn't match this Prefix-List.

Please clarify if there are routes that would return the packets thatwould be dropped back to your router & downstream client.

I don't understand why you would want to allow packets that couldn'treturn the same path.

As for asymmetrically routed packets, I would still expect a return pathto exist, even if it's not utilized.

(Yes, I know it's hard to accept that...)


#headScratching

But put a bandwidth and PPS control on what doesn't match theprefix-list, and block what exceeds.
And why do it this way?
Among other reasons, it is very common that Exceeded TTL responses comewith source IPs for private use, or IP blocks that are for public usebut not announced to the DFZ.

I'll argue -- possibly from a place of ignorance -- that there shouldnot be any packets on the Internet at large (default free zone) to orfrom IPs not part of the Internet (DFZ).

I view the TTL Exceeded packets as errant in their non-globally-routedsource address and as such should be dropped early / often.

Both "be liberal in what you accept and conservative in what you send"(Jon Postel) and "Brown M&M" (Van Halen) come to mind, as does the newerindustry phrase "fail-fast".




--
Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

RE: BCP38 For BGP Customers, (continued)
- - RE: BCP38 For BGP Customers Tony Wicks (Nov 07)
    - Re: BCP38 For BGP Customers William Herrin (Nov 07)
- Re: BCP38 For BGP Customers Mike Hammett (Nov 07)
  - RE: BCP38 For BGP Customers Ryan Hamel (Nov 07)
  - RE: BCP38 For BGP Customers Brian Turnbow via NANOG (Nov 08)
    - Re: BCP38 For BGP Customers Joel Halpern (Nov 08)
    - Re: [EXTERNAL] Re: BCP38 For BGP Customers Compton, Rich A (Nov 08)
    - Re: [EXTERNAL] Re: BCP38 For BGP Customers Joel Halpern (Nov 08)
    - Re: BCP38 For BGP Customers Jay R. Ashworth (Nov 08)
- Re: BCP38 For BGP Customers Douglas Fischer (Nov 08)
  - Re: BCP38 For BGP Customers Grant Taylor via NANOG (Nov 08)
    - Re: BCP38 For BGP Customers William Herrin (Nov 08)
    - Re: BCP38 For BGP Customers Mike Hammett (Nov 08)
    - Re: BCP38 For BGP Customers William Herrin (Nov 08)
    - RE: BCP38 For BGP Customers Adam Thompson (Nov 22)
    - Re: BCP38 For BGP Customers Grant Taylor via NANOG (Nov 08)
    - Re: BCP38 For BGP Customers William Herrin (Nov 08)
    - Re: BCP38 For BGP Customers Grant Taylor via NANOG (Nov 10)
    - Re: BCP38 For BGP Customers William Herrin (Nov 10)
    - Re: BCP38 For BGP Customers Jared Mauch (Nov 10)
    - Re: BCP38 For BGP Customers Matthew Petach (Nov 08)

(Thread continues...)