[j-nsp] network engineering

Keegan.Holley at sungard.com Keegan.Holley at sungard.com
Fri Feb 6 13:06:33 EST 2009 

My apologies I misunderstood your question. However, isn't ICMP into your 
connector networks a small thing?  I don't think anything catastrophic 
would happen if someone pinged your router and the return traffic took 
your primary link.  The traceroute packets would only be discarded if your 
ISP has some sort of RPF enabled, which is rare on an internet link.  Even 
if they were this would not affect traffic from your users or downstreams. 
 I guess you could do filter based forwarding to rectify this behavior, 
but it seem a little like putting out a match with a firehose.

Jm2c

Keegan


From:
Tore Anderson <tore at linpro.no>
To:
Keegan.Holley at sungard.com
Cc:
juniper-nsp <juniper-nsp at puck.nether.net>, "Justin M. Streiner" 
<streiner at cluebyfour.org>
Date:
02/06/2009 12:20 PM
Subject:
Re: [j-nsp] network engineering



* Keegan.Holley at sungard.com

> Direct routes always take precedence over BGP unless it's configured
> otherwise so hopefully this address is in your IGP or next hop self is
> configured.  Also, if you talking only about the directly connected
> route used for your peer, wouldn't the return traffic be your fault for
> advertising 123.0.0/30 to AS321 and vice versa?

The direct routes on the eBGP links are only to 123.0.0.0/30 and
321.0.0.0/30 in my example.  What I'm talking about is if someone sends
a ping from, say, 111.0.0.1 in AS111 (an AS to which I'm not connected),
to 321.0.0.2, and I want to reply to that ping.  This is what happens:

The ping packet will reach me through the link to AS321 due to the fact
that 321.0.0.2 is part of AS321's PA space, I have no control over that.
 However, when my router is replying to that packet it'll look up the
route to 111.0.0.1, find that it's available as an eBGP route (_not_ as
a directly connected route) through both AS123 and AS321, and since
routes learnt from AS123 has a higher local preference my router will,
by default, route the ping reply packet using the route through AS123.
Which is in my opinion bad, since the source address of the ping reply
is 321.0.0.2, part of AS321's PA space, not my own.

I believe the same problem will occur if 111.0.0.1 does a traceroute to
somewhere inside my network and the inbound packets come through AS321,
the ICMP TTL exceeded-packets will be routed out through AS123 and
possibly be discarded.

Regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/

More information about the juniper-nsp mailing list