On 02/10/2014 12:23, Jérôme Nicolle wrote:
This. But let me ask you, how many transit provider actually implement strict prefix-filtering ? I've seen many using a max-prefix as their sole defense.
Plenty do and have no back-end capability to handle this, other than email updates.
Now, let's consider what you want is to match an interface ACL to prefixes received on a BGP session runing through the same interface. Ain't that what uRPF-strict is all about ? What are the known downsides to uRPF-strict ?
Your bgp announcement to your upstream is not guaranteed to be there all the time. E.g. if you're doing maintenance and stop announcing bgp to your upstream for inbound traffic, but still want to depend on it for outbound traffic, urpf will trash things. urpf is only feasible for statically configured hand-offs.
When buying from transits, you either update your IRR for automatic perfix-filter generation on your transit's side, or start by a "BGP over SMTP" session. While the former could generate ACLs from a template, the latter will be prone to human error. And still, how many of us _really_ ensure their IRRs are always up-to-date ?
This only happens when there is a reason to do so.
Next in line : IXPs. You never really know what routes will be available or has to be filtered when 800+ AS, most with customers also using BGP, starts talking to the same route-server. Or maybe, the route-server could provide a flowspec AFI to send filters AND routes simultaneously.
IXPs are more difficult, but if your IXP is running a route server, they should be implementing strict prefix filtering. At least, this puts pressure on IXP participants to register their prefix at their local irrdb.
Would you trust it ? Will your router have enough silicon-horse-power to match both IP _and_ L2 headers at line-rate ?
probably yes on most routers with dedicated hardware for this, but it will depend on the number of acl entries.
BCP38 aims at spoof prevention by filtering as close to the source as possible. Implementation on network's edge looks to me like a tricky one. Sharing the load amongst CPE is the best practice, and could be considered a requirement enforced by transit providers. Or shouldn't it ?
urpf is appropriate for the ISP last hop. Static filters are suitable for the transit provider connecting that ISP to the rest of the network. Nick