Alex.Bligh writes:
"Justin W. Newton" <justin@erols.com> wrote:
At 09:08 PM 9/9/96 -0400, Avi Freedman wrote:
This is *exactly* the right thing to do; every provider which does not provide complicated transit (which excludes even certain regionals, alas) should do this at their borders if they don't do it at each customer connect.
And everyone should at least filter on each customer 56k/t1/etc... I know router cycles are tight but it might *really* become imperative...
Am I missing something....
If I am announcing a network via BGP I am more or less agreeing to carry traffic for it. If I am not I am not. Therefore, if I filter based on my outbound BGP announcements and do not allow any packets which have a source address not originating from a network in my BGP announcements then I should not be causing any harm to the networks which I am providing connectivity to. This has the added benefit of stopping people from defaulting into me at exchange points as I will not carry that traffic across my backbone. I'd love to hear the holes in this theory.
I think you are talking about filtering inbound packets to your router and restricting them to BGP announcements (I don't think Avi was - see below). This would be done on the destination address (checking it was within your announced route set) and thus doesn't help protect against spoofed source addresses.
No, Justin's talking about filtering _customers'_ packets at Justin's border with the customer. No BGP involved. This assumes customers that are not providers (ie, no transit for other nets through the customer). Good enough if all providers do the right thing (or if almost all do). What Justin meant about his BGP announcements was that a customer's packet is legal IFF Justin's announcing that packet's net by BGP (on _behalf_ of the customer, not _to_ the customer). Again, customer means a site that's not a BGP peer.
I *think* what Avi was talking about was filtering outbound packets by source address and checking these are within announced routes.
Taht was one thing Avi mentioned (he showed access lists for that). But he was also talking about the stuff Justin did, which was his (and my) main point.
This has additional problems to those listed below where, for instance, there are deliberately asymmetrical announcements.
Here's some complications with both schemes. Suppose you [...]
Yes, all these schemes fail between peers. The point is that they protect against rogue customers. If an attack happens anyway, we discover the provider that has failed to guard against it's own customers' malfeasance, and we shun that provider. That'll bring it around fast enough, once most providers are doing the Right Thing. /a