[AusNOG] Filtering of downstream transit customer routes via RPF
Andy Davidson
andy at nosignal.org
Tue Jun 16 17:35:17 EST 2015
> On 15 Jun 2015, at 13:23, Andrew Yager <andrew at rwts.com.au> wrote:
>
> We had a bit of a debate this morning in the office around what was the “right" way to handle RPF on downstream customer links; i.e. should it be loose or strict mode.
I think it depends what you mean by ‘customer’. :-)
> I’m all for opening cans of worms; so what do other network operators think the “right” way to treat ingress filtering on downstream customer links is? Bonus points for references to documents we should have read, that set out how we should do our jobs :)
Singled homed customers buying Internet Access circuits (no BGP) from you, on a single link, can and should be strict mode forwarded. Thank you for doing that if you are. :-)
BGP customers could logically and legally decide to originate packets from their IP prefixes facing you via an alternative provider, despite the fact that you are likely to record best path with those customers via their BGP linknets with you. Also they could have multiple links in multiple cities to you with different best paths resolved because of their use of communities or similar, therefore causing strict mode to drop packets. In this scenario, doing very strict prefix filters is really, really important (see TM/3356 woe last week), but your best hope to IP filter those customers is to use the BGP prefix filters as a static ip source address filter as well (reloading both filters at the same time).
Andy
More information about the AusNOG
mailing list