On Mon, 5 Aug 2002, Barry Raveendran Greene wrote:
But, what if you could "strict mode" packet filter on the ISP-ISP side? Lets say there was a dynamic uRPF filter that checked the source addresses against the eBGP routes coming into a link. In other words, if the source address from an ISP does not match the eBGP prefixes coming across from the peer, the packet would drop. So if some /8 prefixes are filtered on the eBGP side, they would get dropped on the ISP-ISP peering interface. For example, if I only send routes from AS X, then any packet whose source address is outside of AS X (say from AS Y) would not pass the uRPF check - resulting in a drop. Since this is based on the dynamics of the eBGP prefixes coming across the peering session, it would allow a "strict mode like" uRPF packet filtering on the ISP-ISP edge (with all the asymmetry found on the ISP-ISP edge).
How would this work for BGP Conditional Advertisement as per page 118 of "Cisco ISP Essentials?" :-) Hank
The question is whether this is something people would want as an option. A uRPF mode that would enforce a peering agreement with dynamic packet filtering (dynamic is based on the eBGP advertisements that get throughthe peering filter).
Barry