[j-nsp] SCU / flows for ingress traffic filtering.
Thomas Mangin
thomas.mangin at exa-networks.co.uk
Tue Oct 18 20:23:50 EDT 2005
Pedro Roque Marques wrote:
> The idea behind flow routes is to address 2 issues:
> - <destination>/32 is not really granular enought... i.e. the attacker
> is happy in the end given that the destination is offline for all traffic.
> - <destination>/32 are tricky to handle... given that they are more
> specific they will block that destination... even if the guy injecting
> the more specific shouldn't be doing so.
Make sense.
>> rpf is way insufficient when it comes to filter incoming traffic.
>> Turning strict mode with feaseable path will knock down a good part of
>> the net.
>
> Why is that ? "feasible-path" should allow you to deal w/ assymetrical
> paths... i.e. MED prefers exit point such and such. It sort of requires
> a consistent set of advertisements... i.e. for preference to be
> expressed via MED and not by not advertising a least preferred route.
You find quite a few ISP who are buying "Backup transit" where they get
a full/partial BGP table from their upstream but do not announce their
network fully/at all.
It seems this is often done for traffic engineering/ getting cheap
backup transit and is causing rpf to block the returning traffic.
I think this is bad practice but this is a quite widely spread practice
as I have found the hard way ... If you ask me, this practice should be
"banned" but this is not going to happen !
> Agree... loose mode is pointless. I used to have this discussion w/
> Jared when he was asking us for "loose mode"... i kept telling him that
> it would be easier for us to provide the script kids w/ a library that
> check if a randomly assigned address is allocated or not ;-)
If you have a full routing table, it is better than nothing and does not
harm like a out of date bogon list.
> You may need a combination of all the methods above :-)
There is never only one solution to a problem :)
Thomas
--
Exa Networks Limited - UK - AS30740 - www.exa-networks.co.uk
nic-handle : MANG-RIPE website : thomas.mangin.me.uk
GPG key ID : 0xFB8B81A1 PGP key : /pgp.html
Inoc-DBA # : 30740*TOM Office # : +44 (0) 845 145 1234
More information about the juniper-nsp
mailing list