nanog mailing list archives

Re: router worms and International Infrastructure

From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Thu, 22 Sep 2005 15:10:13 +0000 (GMT)




On Thu, 22 Sep 2005, Matthew Crocker wrote:

<snip making networking more complicated than required>

Also, consider the cases where customers push packets your way (for
uRPF
strict,  which isn't available for JunOS, but is for IOS depending on
platform/code/hardware-rev... ugh!) and never send you a route for the
traffic back to them? Maybe they are just a transit and don't even
hear
the routes for their customer who chose a 'cheaper' path that doesn't
include them nor me directly on this link in question?



This sounds like a broken design.  Why have one way links?  If a


I didn't say I endorsed it, just that it happens, often. It's not a one
way link either, the link may have thousands of routes advertised up it,
just not a few key ones which are sources of traffic.

Like I said earlier this morning, I have no idea why customers don't just
send a prepended-to-hell route along this path for backup, but they
don't... often.

customer pushes packets my way and they don't announce that route to
me I will drop the packets at my edge.  If they want to send me those


and you are breaking them... that's bad.

packets they need to announce.  They can announce with AS path
prepend x 1000 so I don't send them any traffic but the route needs
to exist.


Sure, and every customer knows bgp/route-maps/policy as well as you... my
point wasn't that it was a good or bad thing, just that it is.

"does urpf feasible path stop a 'customer' from spoofing sources
that are
in the FIB?"


No,  but you don't use feasible path on links aimed at your customer,


great now we have conflicting answers :) perhaps I'll ask on j-nsp for
clarification.

you use strict.  If your router doesn't support strict then talk to
your purchasing department.


The problem isn't the router, it's the cards in the router often :( Also,
it's supposed to work according to the vendor, until you test and verify
it doesn't :( doh! hint, don't by Engine-3 cards for your 12000's unless
you don't care about urpf strict.

hurray!

Current thread:

Re: router worms and International Infrastructure, (continued)
- - - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
    - Re: router worms and International Infrastructure Randy Bush (Sep 21)
    - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
    - Re: router worms and International Infrastructure Randy Bush (Sep 21)
    - Re: router worms and International Infrastructure Pekka Savola (Sep 21)
    - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 21)
    - Re: router worms and International Infrastructure Pekka Savola (Sep 22)
    - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
    - Re: router worms and International Infrastructure Pekka Savola (Sep 22)
    - Re: router worms and International Infrastructure Matthew Crocker (Sep 22)
    - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 22)
    - Re: router worms and International Infrastructure Florian Weimer (Sep 19)
    - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
    - Re: router worms and International Infrastructure Valdis . Kletnieks (Sep 19)
    - Re: router worms and International Infrastructure Christopher L. Morrow (Sep 19)
- Re: IOS exploit Network Fortius (Sep 19)
  - Re: IOS exploit Michael . Dillon (Sep 19)