[ednog] Walled gardens & anycast (oh my!)

[Dave McGaugh]

On Apr 7, 2005, at 12:22 PM, Kevin Miller wrote:

> Hey all-
>
> Sorry for the lag here.. I've been processing mail a bit late.
>
> Anyway, an idea that was (mostly) Dave Farmer's but I find interesting
> is to modify uRPF and use MPLS for walled gardens. To give a bit of
> background: for awhile (when at CMU) I thought about using uRPF as a
> good way to drop hosts off the net quickly. The idea is to interface
> quagga/zebra with your blacklist. When you want to drop someone, just
> announce a /32 to the IP, and uRPF will drop the traffic at the ingress
> interface.

To elaborate on this slightly, on Cisco routers, if the /32 is to 
Null0, this uRPF drop works in both loose and strict mode as IOS sees 
the route to Null0 as a "null CEF adjacency" and is thus invalid, hence 
the drop.

On other routing platforms (at least Juniper), you must use uRPF in 
strict mode as it sees the route to discard as a legitimate contributor 
to the routing table and thus a useable loose mode path.

While strict versus loose might not be interesting at the edge, it is 
useful to have the drop behavior in loose mode deeper into your 
infrastructure where asymmetric routing might be present.

>
> An extension of this would be if you could tell uRPF instead to drop it
> into an MPLS VRF (aka Walled Garden #1). Then you can redirect it to
> your patch page or what have you.

I believe a number of vendors are working on various methods of 
dynamic-ish policy based routing that could be useful in this 
situation. It should be interesting to see what they come up with... 
and whether it will be vendor interoperable.

-Dave

>
> So it's not so much anycast, but using similar pieces. :)
>
> -Kevin
>
> -- 
> Kevin C. Miller
> Network Architect
> Office of Information Technology
> Duke University
> _______________________________________________
> ednog mailing list
> ednog at puck.nether.net
> https://puck.nether.net/mailman/listinfo/ednog