[j-nsp] SCU / flows for ingress traffic filtering.

Thomas Mangin thomas.mangin at exa-networks.co.uk
Tue Oct 18 20:23:50 EDT 2005 

Pedro Roque Marques wrote:

> The idea behind flow routes is to address 2 issues:
>  - <destination>/32 is not really granular enought... i.e. the attacker
> is happy in the end given that the destination is offline for all traffic.
>  - <destination>/32 are tricky to handle... given that they are more
> specific they will block that destination... even if the guy injecting
> the more specific shouldn't be doing so.

Make sense.

>> rpf is way insufficient when it comes to filter incoming traffic.
>> Turning strict mode with feaseable path will knock down a good part of
>> the net.
> 
> Why is that ? "feasible-path" should allow you to deal w/ assymetrical
> paths... i.e. MED prefers exit point such and such. It sort of requires
> a consistent set of advertisements... i.e. for preference to be
> expressed via MED and not by not advertising a least preferred route.

You find quite a few ISP who are buying "Backup transit" where they get
a full/partial BGP table from their upstream but do not announce their
network fully/at all.

It seems this is often done for traffic engineering/ getting cheap
backup transit and is causing rpf to block the returning traffic.

I think this is bad practice but this is a quite widely spread practice
as I have found the hard way ... If you ask me, this practice should be
"banned" but this is not going to happen !

> Agree... loose mode is pointless. I used to have this discussion w/
> Jared when he was asking us for "loose mode"... i kept telling him that
> it would be easier for us to provide the script kids w/ a library that
> check if a randomly assigned address is allocated or not ;-)

If you have a full routing table, it is better than nothing and does not
harm like a out of date bogon list.

> You may need a combination of all the methods above :-)

There is never only one solution to a problem :)

Thomas
-- 
Exa Networks Limited - UK - AS30740 - www.exa-networks.co.uk
nic-handle : MANG-RIPE   website  : thomas.mangin.me.uk
GPG key ID : 0xFB8B81A1  PGP key  : /pgp.html
Inoc-DBA # : 30740*TOM   Office # : +44 (0) 845 145 1234

More information about the juniper-nsp mailing list