nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it time to abandon bogon prefix filters?

From: Pekka Savola <pekkas () netcore fi>
Date: Wed, 20 Aug 2008 08:24:35 +0300 (EEST)
On Tue, 19 Aug 2008, Kevin Loch wrote:

        While you're at it, you also placed the reachable-via rx on
 all your customer interfaces.  If you're paranoid, start with the 'any'
 rpf and then move to the strict rpf.  The strict rpf also helps with
 routing loops.


Be careful not to enable strict rpf on multihomed customers.  This includes
any bgp customer unless you know for sure they are single homed to you and that will not 
change.
Strict uRPF (feasible paths variant, RFC3704) works just fine with multihomed customers here.
But we don't allow TE more specifics either from the customer or from peers, so the longest prefix matching doesn't get messed up. And with certain kind of p2p link numbering, you may need to add a dummy static route. But it works. 

For more see especially Section 3 of:
http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt

(comments are also welcome.)

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Previous By Date Next
Previous By Thread Next

Current thread: