[j-nsp] network engineering
Justin M. Streiner
streiner at cluebyfour.org
Fri Feb 6 12:10:09 EST 2009
On Fri, 6 Feb 2009, Tore Anderson wrote:
> 123.0.0.x is part of AS123's PA space, 321.0.0.x is part of AS321's.
> Routes received from AS123 has a higher localpref than those from AS321,
> for whatever reason - like simply being cheaper.
>
> If someone on the other side of the internet now sends an ICMP ping or
> whatever to 321.0.0.2 I'll end up routing the reply packet out through
> AS123, since the route to that particular other side of the internet has
> a higher localpref through AS123. However from AS123's point of view
> I'm now spoofing traffic from AS321's PA space, so they might feel free
> to drop the packet due to a failing uRPF check or whatever.
Your ISPs should not be implementing strict RPF on your interfaces to them
since you're multi-homed. Loose RPF should be OK. If one ISP or the
other (or both) is accomplishing RPF-like functionality using ACLs,
then they need to relax those ACLs to accept traffic from the space that
AS123 assigned to you. If you're doing RPF on your side, or implementing
ACL based ingress/egress filtering, you should implement loose RPF and
consider relaxing your filter ACLs a bit.
jms
More information about the juniper-nsp
mailing list