nanog mailing list archives
Re: router worms and International Infrastructure
From: Matthew Crocker <matthew () crocker com>
Date: Thu, 22 Sep 2005 08:51:29 -0400
At your borders (upstream/peers), you will naturally block all of 10/8at egress.my border is very broad and it's not feasible to use acls on all equipment that makes up that edge :( (for the sake of arguement, which is now farafield from the original question: "Feasible path won't stop someone spoofing space thats in my FIB, will it?"
The solution is a double border, possibly with VRF and inter-VRF routing
Internal border sees 10/8 and 10/8 is in the FIB. 10/8 packets can be spoofed here, Infrastructure connects her External border doesn't see 10/8, 10/8 is NOT in the FIB, 10/8 packets can't be spoofed. Internet connects here.
Internal <-> External links use routable IP space to not infect external with infrastructure routes. External border cannot talk to infrastructure IPs but it doesn't need to.
External can route through infrastructure to customer CPE10/8 can still be spoofed on the infrastructure but it will have to come from a customer, not from the Internet.
Also, consider the cases where customers push packets your way (for uRPFstrict, which isn't available for JunOS, but is for IOS depending on platform/code/hardware-rev... ugh!) and never send you a route for thetraffic back to them? Maybe they are just a transit and don't even hearthe routes for their customer who chose a 'cheaper' path that doesn't include them nor me directly on this link in question?
This sounds like a broken design. Why have one way links? If a customer pushes packets my way and they don't announce that route to me I will drop the packets at my edge. If they want to send me those packets they need to announce. They can announce with AS path prepend x 1000 so I don't send them any traffic but the route needs to exist.
"does urpf feasible path stop a 'customer' from spoofing sources that arein the FIB?"
No, but you don't use feasible path on links aimed at your customer, you use strict. If your router doesn't support strict then talk to your purchasing department.
-- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Current thread:
- Re: router worms and International Infrastructure, (continued)
- Re: router worms and International Infrastructure Pekka Savola (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Randy Bush (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Randy Bush (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 22)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
- Re: router worms and International Infrastructure Pekka Savola (Sep 22)
- Re: router worms and International Infrastructure Matthew Crocker (Sep 22)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
- Re: router worms and International Infrastructure Florian Weimer (Sep 19)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
- Re: router worms and International Infrastructure Valdis . Kletnieks (Sep 19)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
- Re: IOS exploit Michael . Dillon (Sep 19)