[c-nsp] Re: URPF on small BGP-enabled customers?

Joe Maimon jmaimon at ttec.com
Fri Jun 3 17:57:45 EDT 2005



David J. Hughes wrote:
> 
> On 04/06/2005, at 6:35 AM, Joe Maimon wrote:
> 
>> And if they were mutlihomed to the same two peers that you announced
>> no-export?
>>
>> Should they still be taking default then?
>>
>> IMHO all those who tag no-export and then are surprised when people
>> surprise surprise dont get those routes, those are the daft ones.
> 
> 
> Perhaps you should consider the possible scenarios before making such 
> assumptions.  We present our prefixes to 6 upstream ASes (every tier-1 
> in the country plus some others).  We tagged no-export to one of our 
> upstreams for our own traffic engineering purposes.
> 
> The "daft" provider to which I referred was single homed, but still ran 
> BGP and neither generated a default internally nor accepted one from 
> their upstream.  It appears that they were not getting a full table from 
> their provider (or were filtering it) as that would have included our 
> prefixes via 5 indirect paths.

If their provider was the same one you tagged no-export to, than they 
were getting the full table from their peer. Except you requested that 
peer not send them your route.

If that was the case, your assumption was that they would get the route 
elsewhere. That assumption is far less safe to make.

I dont see how this changes anything. Of course peers downstream of the 
peers you have your route marked no-export will not have it in their 
full table unless they get it from a peer who does not have it marked 
no-export.

Presumably you tag no-export because you DONT want traffic thru the 
provider from that provider's peers to the prefix. That providers 
customers using a default will not conform to your desired behavior. It 
cuts both ways.

> 
> 
>> If a router gets a full BGP table from its peer it should never need a
>> default route.
> 
> 
> The assumption that getting a "full table" from only a single provider 
> will ensure you get every prefix on the public network is fundamentally 
> flawed.  By definition you are getting THEIR idea of a full table, 
> regardless the filtering etc that their peering policies may impose.  As 
> a customer you have no control over their peering policies. I certainly 
> wouldn't run without a default in that environment.

The assumption is that as long as you are getting a full table from a 
provider who has ensured that they have a best path for every received 
announced route, then so do you. This is how the protocol is supposed to 
converge.

> 
> 
> David
> ...
> 
> 


More information about the cisco-nsp mailing list