[j-nsp] out-bound anti-spoofing rules when using community-based routing

David Ball davidtball at gmail.com
Fri Jan 25 12:56:44 EST 2008


  Thanks for the responses all, and for the pointer to the
'feasible-paths' config Doug.  Strange that they don't mention those
knobs in the 'RPF with asymmetry' docs at juniper.net.  As all of our
internet customers are put into the same routing-instance, I can't
help but wonder what resource issues I might encounter if
'feasible-paths' is enabled.  I've seen a few posts here and there on
the list with folks trying to save on resources by explicitly NOT
using RPF.  This would be done on T640s so perhaps there is less to
worry about on that front, but comments would be appreciated.
   Pekka, I'm not sure I caught why your example of a BGP customer
advertising an aggregate to us but the specifics to another upstream
wouldn't work.  If 'feasible-paths' is in use, doesn't that alleviate
the problem?  Even if the 'preferred' path is not their local port, we
should still have the aggregate which should pass the uRPF check, no?

David


On 24/01/2008, Pekka Savola <pekkas at netcore.fi> wrote:
> On Thu, 24 Jan 2008, David Ball wrote:
> >   I suppose uRPF would do the trick, though since I have some
> > customers with redundant connectivity to us, asymmetry is possible.
> > So, in that case we'd end up having to maintain prefix-lists after
> > all, which we'd reference in the 'rpf-check fail-filter'.
>
> As already replied, feasible-paths can help here.
>
> We use feasible paths uRPF also on multihomed customers, some of which
> have sometimes asymmetry -- works fine provided that the customer's
> announcements are "consistent".  There are also some other cases that
> you may need to consider, see section 3 of
> http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt
>
> One example which would NOT work is that your customer advertises an
> aggregate through you and more specifics through your peer, and you
> accept those more specifics from your peer.  The customer would need
> to advertise the same more specifics to you as well, but use a
> community to mark them so that you won't readvertise them.
>
> --
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>


More information about the juniper-nsp mailing list