North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: router worms and International Infrastructure
The solution is a double border, possibly with VRF and inter-VRF routingmy border is very broad and it's not feasible to use acls on all equipment
Internal border sees 10/8 and 10/8 is in the FIB. 10/8 packets can be spoofed here, Infrastructure connects her
External border doesn't see 10/8, 10/8 is NOT in the FIB, 10/8 packets can't be spoofed. Internet connects here.
Internal <-> External links use routable IP space to not infect external with infrastructure routes.
External border cannot talk to infrastructure IPs but it doesn't need to.
External can route through infrastructure to customer CPE
10/8 can still be spoofed on the infrastructure but it will have to come from a customer, not from the Internet.
Also, consider the cases where customers push packets your way (for uRPF
This sounds like a broken design. Why have one way links? If a customer pushes packets my way and they don't announce that route to me I will drop the packets at my edge. If they want to send me those packets they need to announce. They can announce with AS path prepend x 1000 so I don't send them any traffic but the route needs to exist.
"does urpf feasible path stop a 'customer' from spoofing sources that areNo, but you don't use feasible path on links aimed at your customer, you use strict. If your router doesn't support strict then talk to your purchasing department.
Matthew S. Crocker
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710