[c-nsp] Implementing Unicast RPF multi-homed network
Pekka Savola
pekkas at netcore.fi
Mon Jan 26 08:11:14 EST 2009
On Mon, 26 Jan 2009, Pete Templin wrote:
>> FWIW, loose mode for multi-homed customers is basically useless. It
>> probably mainly drops their leaking RFC1918 address space but that's it.
>>
>> You really should filter the multihomed customers for real.
>
> Speak up then. What filtering method do you propose?
If the multihomed customers have so messy advertisements that you
can't use strict, you should probably use manually configured ACLs
instead.
It is possible to get strict uRPF to work with multihomed customers
though, but this requires some tuning. With some vendors (e.g.
Juniper with 'feasible-paths' feature) this is easier. I'm not sure
if IOS implements this kind of knobs. We use feasible-paths strict
uRPF on our all multihomed customers without major hassle.
RFC 3704 (esp S 2.3) talks a bit about this on a general level,
http://tools.ietf.org/html/draft-savola-bcp84-urpf-experiences may
also be useful.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the cisco-nsp
mailing list