At 04:37 AM 9/13/96 -0400, Alexis Rosen wrote:
Alex.Bligh writes:
I think you are talking about filtering inbound packets to your router and restricting them to BGP announcements (I don't think Avi was - see below). This would be done on the destination address (checking it was within your announced route set) and thus doesn't help protect against spoofed source addresses.
No, Justin's talking about filtering _customers'_ packets at Justin's border with the customer. No BGP involved. This assumes customers that are not providers (ie, no transit for other nets through the customer). Good enough if all providers do the right thing (or if almost all do).
What Justin meant about his BGP announcements was that a customer's packet is legal IFF Justin's announcing that packet's net by BGP (on _behalf_ of the customer, not _to_ the customer). Again, customer means a site that's not a BGP peer.
Actually what Justin was talking about is as follows... Justin will only allow packets out of his border routers /to/ peers if they are packets with a source address inside the ranges of addresses he announces via BGP. I.e. if I announce 192.1.1.0 0.0.0.255 I would allow a packet with an address of 192.1.1.1 out of my network into "the net at large" but not if the packets source address was 192.1.2.1. I will allow any packet which I allow to enter my network into a customer's network. Their filtering is their problem. Justin Newton Internet Architect Erol's Internet Services