[j-nsp] out-bound anti-spoofing rules when using community-based routing

Peter E. Fry pfry-lists at redsword.com
Thu Jan 24 14:00:44 EST 2008


[...]
>   I'm now struggling to find another way to prevent our
> customers from spoofing.  The previous method relied on a
> firewall filter which indeed references a prefix-list of
> all our customers' space.  I'm having a hard time getting
> away from this, as I can't create a firewall filter which
> will look up the community assigned to a source-address
> (to see if it's legitimately a customer).
>   How have others gotten around this?  Am I overlooking
> something?  Or is maintaining large lists the only way to
> go ?

  I'm curious myself...
  I guess URPF doesn't fit your needs?  I'm not sure how a
community match would differ a whole lot.  Sadly enough, the
best method I can think of offhand would be to run two
filters -- one general and one specific to the customer
link.
  By the way:

> config cbq.1 traffic-class.Test src-bgp-
completions are:
        src-bgp-as-expression
        src-bgp-community

That's from an old Lucent (Xedia) router (I use it as a
traffic shaper on my DSL).  It'd be nice if the big two
would pick up some of the odd innovations from old, dead
devices like this one.  Never can tell when you'll want to
filter packets by domain name, AS, community, etc.

Peter E. Fry



More information about the juniper-nsp mailing list