nanog mailing list archives
Re: uRPF Loose Check Mode vs. ACL
From: Livio Ricciulli <livio () reactivenetwork com>
Date: Sun, 05 May 2002 16:20:43 -0700
Richard A Steenbergen wrote:
escaping the "filter" with more specific routes would be absolutely necessary.On Sun, May 05, 2002 at 11:55:21AM -0700, Livio Ricciulli wrote:In particular, I am interested in the ability of eliminating specific routes from the FIB under uRPF Loose Check Mode to effectively filter specific source addresses that are flooding.As I understand the concept, eliminating an address from the FIB such as x.y.0.0/24 would have the equivalent effect of installing a network-wide ACL rule: deny ip x.y.0.0/24 anyNot quite. First, lets be specific by what you mean by "remove from the FIB", as there are a number of different methods you could use. You could simplyblock it from the RIB when generating the FIB, you could go back after FIB generation and try to make it unresolved, or you could change the nexthop to "discard". If you're trying to replicate traditional firewall behavior (filter no matter what) you would have to do it post FIB generation, but if you are trying to replicate normal routing behavior (ex: a null route) you would have to do it during FIB generation, so that you can potentially have more specific routes which escape the "filter".
Secondly, when you remove something from your FIB, you also block destination routing as well as source.Good point; so in ACL equivalent language you are saying that taking out a FIB entry in uRPF Loose Check Mode is equivalent to a network-wide insertion of:
deny ip x.y.0.0/24 any (from the uRPF Loose Check Mode) deny ip any x.y.0.0/24 (from the absence of a route) (modulo the more specific routes to escape the "filter" which could be expressed as prepended permits in the ACL equivalent world)
Well, I am investigating if it is possible today to use uRPF Loose Check Mode to achieve network-wide source/destination address filtering functionality (it seems not from what you write). I immagine that it would be useful to use route advertisements to enforce network-wide access control policies. These policies, however, to be generally interesting for DDoS would have to be at least as expressive as "<deny|permit> <proto> <source> <destination>" (hence my questions).The reason why I ask is that we would like to keep control of these two important aspects of the traffic to avoid filtering out too much and therefore possibly affecting legitimate traffic. Think of the case where a flood targets one of multiple downstream customers and the spoofed addresses correspond to a popular address range (such as Yahoo). Doing a "deny ip x.y.0.0/24 any" would effectively shut down Yahoo's traffic for all downstream customers thus amplifying the attacker's effect.It sounds like what you are looking for has nothing to do with the RPF or the FIB, but rather simply manual source address filtering.
Livio.
Current thread:
- Re: /31 mask address, (continued)
- Re: /31 mask address Miguel Mata-Cardona (May 03)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 04)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 04)
- Re: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 05)
- RE: Effective ways to deal with DDoS attacks? Barry Raveendran Greene (May 05)
- unicast RPF for peers viable? Iljitsch van Beijnum (May 05)
- Re: unicast RPF for peers viable? Richard A Steenbergen (May 05)
- RE: unicast RPF for peers viable? Barry Raveendran Greene (May 05)
- uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Valdis . Kletnieks (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: unicast RPF for peers viable? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 05)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 05)
- Re: Effective ways to deal with DDoS attacks? Steven W. Raymond (May 06)