On Sun, May 05, 2002 at 11:55:21AM -0700, Livio Ricciulli wrote:
In particular, I am interested in the ability of eliminating specific routes from the FIB under uRPF Loose Check Mode to effectively filter specific source addresses that are flooding.
As I understand the concept, eliminating an address from the FIB such as x.y.0.0/24 would have the equivalent effect of installing a network-wide ACL rule:
deny ip x.y.0.0/24 any
Not quite. First, lets be specific by what you mean by "remove from the FIB", as there are a number of different methods you could use. You could simply block it from the RIB when generating the FIB, you could go back after FIB generation and try to make it unresolved, or you could change the nexthop to "discard". If you're trying to replicate traditional firewall behavior (filter no matter what) you would have to do it post FIB generation, but if you are trying to replicate normal routing behavior (ex: a null route) you would have to do it during FIB generation, so that you can potentially have more specific routes which escape the "filter". Secondly, when you remove something from your FIB, you also block destination routing as well as source.
The reason why I ask is that we would like to keep control of these two important aspects of the traffic to avoid filtering out too much and therefore possibly affecting legitimate traffic. Think of the case where a flood targets one of multiple downstream customers and the spoofed addresses correspond to a popular address range (such as Yahoo). Doing a "deny ip x.y.0.0/24 any" would effectively shut down Yahoo's traffic for all downstream customers thus amplifying the attacker's effect.
It sounds like what you are looking for has nothing to do with the RPF or the FIB, but rather simply manual source address filtering. However, if the reason you're interested in RPF is because you want to source match filtering more efficiently, you may be interested in the data structure. Rather then walking a straight access-list rule set doing a comparison for every rule, you can make a "Filtering" Information Base mtrie for source address rules. This is the entire point of standard access-lists, and more recently compiled access-lists. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)