inline.... $author = "alok" ;
so its a hardware limitation?....bigger cores needed
not necessarily. if you do the filtering in the right places you can leave the core to do it's job of passing packets. also, the idea of filtering at the edges is designed to reduce the distance dud packets travel in your network, leaving your routers to worry about passing legit packets. =====> yup, but its fine if they reach the core as long as they dont go out of it onto some WAN ($$) link (surely u have enuf on ethernet and pretty much dont care whats there),... its still not hogging away bandwdith....but its the ideal point to know "everything" passing around..... :o)..specially Area -0 in OSPF.....
fair enuf...... 2 schools of thought, and ur idea makes sense too... no denying that...but you have corner cases... which wont come up if it could be in the core.....
the idea behind the extended filtering capabilities in routing software / OSes is to address the problems you describe.
well that covers everything doesnt it ;o)... even those not in ur network..does it actually ping and check to see if its there?
no, a default route is a default route. it doesn't check the IP address, but any packets to dud addresses will get dropped the second they hit a default free zone (if there is no matching prefix) or the upstream router (addresses covered by a prefix but not used). ======> I may have to stop aggregation/default routing , on certain points where i may have to go "loose"........ ...unless ..if its "right at the edge" , where you know customer interfaces..as you have been saying..but still nothing can be put on the non customer facing side....
do u inject BGP into IGP? ....do all access boxes have the entire BGP table/or know every address/network on the internet?
i'd be running iBGP across the default free core and IGP to cover link state of your core. i've seen BGP injected into IGP and it can end up ugly if your not careful. so yes, you'd have a subset of your routers with full tables. you can filter on these routers using "reachable-via any" to address asymmetry. on routers closer to the customer edge, you might not have a full table but you can apply stricter filtering given that you should know what subnets are coming in your customer facing interfaces. =========> you wudnt want to put this on any iBGP routers with "loose", as they will anyway "know too many networks" .....u cudnt do it for multihomed guys, not sure how u say u can.....unless you filter out his entire range.... ---------------
most access would be the corner cases... i have cases where tier-2 ISPs would simply take a 3 Mb uplink from 1 service provider and a fat downlink from another (ISP-2) ...all the BGP routes/advertisements would be in the 2nd ISPs networks, ISP 1 has no idea what this guys address range is at the access is... this is a common mechanism lots of tier-2 ISPs would apply......
? ISP-1 can filter packets based on subnets known to be attached to the customer circuit (your customer system does record IP addresses assigned to customers or provider independent IP subnets that your customers have, doesn't it?!?)... =====> wont work if the customer has his own AS else ill need to filter "all" of the addresses...... ***there is no rule which needs me to tell the peering provider what I am uplinking via his pipe**.......** I could still DDOS with all the IPs belonging to the tier-2 ISP and get enuf traffic generated...right?** you might also say "okie now i know this AS was the source" but then that hardly helps you obviously cant ban the whole AS's IP range.. u need to track the "user"..... ...hmm but you could say that the tier-2 guy should do RPF too........that makes sense...."stringent laws" would help..... ---------------- ISP-2 would do the same for upstream traffic. downstream both ISPs could apply whatever filtering is appropriate (loose / strict) given their network structure. =====> loose/strict wont help if its 2 different ISPs..........and if u dont know what customer networks are uplinking via your own core.....
we cud start a new topic...
"where is the core of the internet"?
coz assymetric routing messes up everything :o) even for those scenarios on the core...
read up a little RPF and the difference between "strict" and "loose"... http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122yo/swcg/secur e.htm#xtocid10 ========> loose is essentally "exist -only" i hope thats what u mean?........it doesnt check the "interface" being a possible point of entry, just that the network is known via the routing table......thats what your refering to I guess...??..for BGP peered networks... cant say much....its upto him what he advertises to you... but for customers whose networks are present in you IGP, it does make sense.....strict on all access devices, loose on all the major points where one cant tell the interfaces....but you still need to know where he uplinks and downlinks from...."so its sort of same as acls but yeah, its automated".......wondering if all this effort can be put onto the core... if u mean something else by "loose" then im sorry im not aware.. perhaps you could share some info... incase u think i am giving you too many corner cases.... its not "whine whine" its just exploring possibilites :o) ... -Alok