[j-nsp] out-bound anti-spoofing rules when using community-based routing
Pekka Savola
pekkas at netcore.fi
Thu Jan 24 14:27:05 EST 2008
On Thu, 24 Jan 2008, David Ball wrote:
> I'm now struggling to find another way to prevent our customers from
> spoofing. The previous method relied on a firewall filter which
> indeed references a prefix-list of all our customers' space. I'm
> having a hard time getting away from this, as I can't create a
> firewall filter which will look up the community assigned to a
> source-address (to see if it's legitimately a customer).
> How have others gotten around this? Am I overlooking something? Or
> is maintaining large lists the only way to go ?
Firewall filters are programmed on the ASICs. As a result, they can't
change dynamically based on control plane information (routes), at
least this wasn't possible a couple of years ago.
You'll need the list of prefixes in any case. You'll want to have
inbound policy reject routes that advertise more specifics of your
address space (routing hijack). Community based mechanism won't help
with that so you'll need a static list.
If you build the prefix lists in a flexible manner, you can also
use the same prefix lists to do egress/ingress filtering at your
peering/upstream edges.
At the customer edge you can probably use uRPF and static prefix lists
for BGP customers.
This is a bit more generic but may be useful to you (comments
welcome):
http://tools.ietf.org/id/draft-savola-rtgwg-backbone-attacks-03.txt
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the juniper-nsp
mailing list