
Hey,
This is exactly my idea : why should I allowed uRPF passing traffic from routes not learned on this port ?? Why if I have Cogent + Level3 and I denied ^3356_174 and ^174_3356 AS pathes for logical reasons, I should get spoofed traffic from Level3 ranges over Cogent peering port ? That's just silly this kind of mode doesn't exist in uRPF ...
I'm aware it's due to hardware limitation, because uRPF look into FIB, not BGP Table or RIB, but that could help denying spoofed traffic that comes over transit tier 1 because the BCP38 to the downstreams are not in place, or not automatic (I'm still thinking why Level3 as an IRR and do use it for filtering downstreams ...)
I'm not at all sure what you are trying to say, but in many platforms you can write 'hints' to HW based on BGP communities or AS PATH and then use these 'hints' in ACL. Simplified view could be that you're matching AS_PATH on ACL. However if I understood your scenario right, I don't think what you propose is fixing any spoofing issues in your scenario. Only antispooffing that makes sense towards your transit provider is dropping your own source addresses. Some vendors also support 'strict feasible' which is essentially RIB instead of FIB match (But technically obviously not RIB, it's just HW gets more information about 'feasible' paths).
There is much cheaper feature which has worked for decades which applies better to this problem. While you generate list of prefixes ISP2 COULD announce to you, that includes the prefix ISP3 is NOT announcing, but COULD. The same prefix-list you use for BGP announcements use in your ACL.
Yeah agreee, but not usable and programmable regarding huge upstreams values (over 100, I know hw even for smaller values that will say "my ASIC is limited man").
Similarly it's easy to find device which can't hold DFZ in FIB, but you wouldn't buy that device as your edge box. Usually the really cheap and dense boxes are not edge capable anyhow, due to poor control-plane protection, and all proper edge boxes have large ACLs, in what I view perfectly affordable prices from Juniper, Nokia, Huawei and Cisco. Maybe 20-30k for few 100GE and what have you, likely not significant 5 year TCO on the actual company wide bottom line. -- ++ytti