[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BCP38 - Internet Death Penalty

In a message written on Thu, Mar 28, 2013 at 11:39:45AM -0400, William Herrin wrote:
> "Single homed stub site" is not a configuration option in any BGP
> setup I'm aware of, so how would the router select RPF as the default
> for a single-homed stub site?

I'm not sure if this is what the OP was talking about or not, but
it reminded me of a feature I have wanted in the past.

If you think about a simple multi-homing situation where a person
has their own IP space, their own ASN, and connects to two providers
they will announce all of their routes to both providers.  They may
in fact do prepending, or more specifics such that one provider is
preferred, but to get full redundancy all of their blocks need to
go to both providers.

uRPF _strict_ only allows traffic where the active route is back
out the interface.  There are a number of cases where this won't
be true for my simple scenario above (customer uses a depref
community, one ISP is a transit customer of the other being used
for multi-homing, customer has more than one link to the same ISP
and uses prepending on one, etc).  As a result, it can't be applied.

uRPF _loose_ on the other hand only checks if a route is in the
table, and with the table rapidly approaching all of the IP space
in use that's denying less and less every day.

The feature I would like is to set the _packet filter_ based on the
_received routes_ over BGP.  Actually, received routes post prefix list.
Consider this syntax:

 neighbor install-dynamic-filter Gig10/1/2 prefix-list customer-prefixes

Anything that was received would go through the prefix-list
customer-prefixes (probably the same list used to filter their
announcements), and then get turned into a dynamic ACL applied to
the inbound interface (Gig10/1/2 in this case).

I suspect such a feature would allow 99.99% of the BGP speakers to be
"RPF" filtered in a meaningful way, automatically, where uRPF strict is
not usable today.

       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130328/a93e6588/attachment.bin>