On Thu, 14 Oct 2004, Daniel Roesen wrote:
On Thu, Oct 14, 2004 at 08:05:50AM +0300, Pekka Savola wrote:
If you do 'feasible path strict uRPF' as described in BCP84 (I don't know if others than Juniper are providing that), you can enable strict uRPF toward those customers, still de-pref them, and accept the packets with correct source addresses.
That's what we do with our customers whether multihomed or not.
And what do you do with a BGP customer which sends you traffic from prefixes he doesn't want to announce to you? There are such customers. Fail filter ACL?
Good point. It could be doable with fail-filter ACL, but we don't have any of these, so it'd be just a silent discard. Honestly, I fail to see this as a big problem. If they don't want to announce the prefix to us, why would they want to source traffic from that prefix to us? The inbound traffic engineering is the more tricky business, not the outbound. If they want to keep the link usage low, they could just send it with no-export or no-advertise, or suitably prepended. Except for really wacky asymmetric multihoming cases, I'd expect that some customers might actually want 'restricted' or 'internal' traffic to be discarded (compare to RFC1918 sourced traffic from enterprises, because they use RFC1918 but don't set up the discarding ACLs on their own). -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings