nanog mailing list archives
Re: router worms and International Infrastructure
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Thu, 22 Sep 2005 15:10:13 +0000 (GMT)
On Thu, 22 Sep 2005, Matthew Crocker wrote: <snip making networking more complicated than required>
Also, consider the cases where customers push packets your way (for uRPF strict, which isn't available for JunOS, but is for IOS depending on platform/code/hardware-rev... ugh!) and never send you a route for the traffic back to them? Maybe they are just a transit and don't even hear the routes for their customer who chose a 'cheaper' path that doesn't include them nor me directly on this link in question?This sounds like a broken design. Why have one way links? If a
I didn't say I endorsed it, just that it happens, often. It's not a one way link either, the link may have thousands of routes advertised up it, just not a few key ones which are sources of traffic. Like I said earlier this morning, I have no idea why customers don't just send a prepended-to-hell route along this path for backup, but they don't... often.
customer pushes packets my way and they don't announce that route to me I will drop the packets at my edge. If they want to send me those
and you are breaking them... that's bad.
packets they need to announce. They can announce with AS path prepend x 1000 so I don't send them any traffic but the route needs to exist.
Sure, and every customer knows bgp/route-maps/policy as well as you... my point wasn't that it was a good or bad thing, just that it is.
"does urpf feasible path stop a 'customer' from spoofing sources that are in the FIB?"No, but you don't use feasible path on links aimed at your customer,
great now we have conflicting answers :) perhaps I'll ask on j-nsp for clarification.
you use strict. If your router doesn't support strict then talk to your purchasing department.
The problem isn't the router, it's the cards in the router often :( Also, it's supposed to work according to the vendor, until you test and verify it doesn't :( doh! hint, don't by Engine-3 cards for your 12000's unless you don't care about urpf strict. hurray!
Current thread:
- Re: router worms and International Infrastructure, (continued)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Randy Bush (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Randy Bush (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 21)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
- Re: router worms and International Infrastructure Pekka Savola (Sep 22)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
- Re: router worms and International Infrastructure Pekka Savola (Sep 22)
- Re: router worms and International Infrastructure Matthew Crocker (Sep 22)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
- Re: router worms and International Infrastructure Florian Weimer (Sep 19)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
- Re: router worms and International Infrastructure Valdis . Kletnieks (Sep 19)
- Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
- Re: IOS exploit Michael . Dillon (Sep 19)