[j-nsp] out-bound anti-spoofing rules when using community-based routing

[Pekka Savola]

On Thu, 24 Jan 2008, David Ball wrote:
>   I suppose uRPF would do the trick, though since I have some
> customers with redundant connectivity to us, asymmetry is possible.
> So, in that case we'd end up having to maintain prefix-lists after
> all, which we'd reference in the 'rpf-check fail-filter'.

As already replied, feasible-paths can help here.

We use feasible paths uRPF also on multihomed customers, some of which 
have sometimes asymmetry -- works fine provided that the customer's 
announcements are "consistent".  There are also some other cases that 
you may need to consider, see section 3 of 
http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt

One example which would NOT work is that your customer advertises an 
aggregate through you and more specifics through your peer, and you 
accept those more specifics from your peer.  The customer would need 
to advertise the same more specifics to you as well, but use a 
community to mark them so that you won't readvertise them.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings