[c-nsp] Peer pointing default route to us

Saku Ytti saku at ytti.fi
Tue Sep 30 05:35:11 EDT 2014


On (2014-09-30 10:49 +0200), Lukas Tribus wrote:

> BCP 38 is about ingress filtering on customer links, not egress
> filtering on peers/upstream links, or am I missing something?

Verifying source address at ingress (customer port) or at egress (transit,
peer port) can produce similar result.
Difference is, when done at egress (only), your customers could still spoof
address of another customer in your network, just not spoof anyone else.

> Are you talking about static ACLs matching source IPs and applying
> it in the egress direction on peers/upstreams?

Yes he is.

> I don't see how that is supposed to scale.

Generate prefix-list from as-set, deploy.

> BCP38 (ingress filtering) sure, but egress filtering will just break
> your network, imho.

Depending how high quality your as-set is, it might not. In RIPE area we can
reasonably expect to have perfect AS-SET information from our customer (and
ask them to fix mistakes during activation). I know in ARIN area such
expectation is not reasonable at all.

-- 
  ++ytti


More information about the cisco-nsp mailing list