From: jean.paul.baaklini@accenture.com
Date: Fri Sep 24 2004 - 05:09:36 GMT-3
James,
Thanks for your comments. I see what the issues are with URPF, what I
don't see is what the advantages are? Is it useful?
Cheers,
JP
-----Original Message-----
From: James [mailto:james@towardex.com]
Sent: 23 September 2004 22:10
To: Baaklini, Jean paul
Cc: ccielab@groupstudy.com
Subject: Re: Unicast RPF
On Thu, Sep 23, 2004 at 01:37:38PM +0200,
jean.paul.baaklini@accenture.com wrote:
> Hi Group,
>
> I've heard that Unicast RPF was most useful when used on a CE router
IN
> A SINGLE-HOMED ENVIROMENT. I don't really understand how. For me the
> URPF should always be successful in this type of environment, as all
> subnets not on your internal network will be on one side on the
router,
> the expected interface for this traffic would always be the external
> interface.
The problem with strict uRPF is this when you are multihomed:
Packet A leaves out to Interface A, because the route for that
destination points to Interface A.
The receiving host on the other end of the intarweb receives packet A
but the returning path finds Interface B to be best path.
Response packet arrives on Interface B, but route points to interface
A. --> **RPF FAILED** <-- Packet drops.
Because of this problem, there is another version of uRPF implementation
called loose-check (or loose mode?) uRPF.
Loose check uRPF does not check for interface, but checks whether the
route exists in the FIB. If the route is existing, regardless of where
its pointed to, it will drop the packet. This will allow you to use
uRPF on multihomed customers w/o collateral damage, but it is less
secure than strict uRPF, as you can now only block packets sourced from
non-allocated / non-advertised IP networks.
Loose check uRPF on modern service provider vendors (Cisco, Juniper,
etc)
will also kill the packet if the route for that packet is destined to
an invalid FIB adjacency, such as a Null-route. So one can setup an
autonomous pseudo firewall around the borders of his AS by using combo
of loose uRPF and IBGP. Announce a /32 you want blocked with next-hop
set
to Null0 to be inserted to all routers -- and uRPF loose-mode will drop
all packets arriving at the border sourced from that /32.
>
> So my questions are:
>
> 1- Is Unicast RPF useful at all?
It indeed is. For service providers, running strict uRPF on colocation
edge and other singlehomed customers, is useful. Furthermore, running
loose uRPF on borders also scales in preparing for NOC's response
methods
during the event of a DoS attack.
> 2- If yes, is it use to replace these "anti-spoofing" ACL?
>
It depends on how you have it setup. Obviously if you are doing strict
uRPF,
SAV (source address validation) ACL's are no longer necessary. If doing
multihomed customers using loose-check, you still probably want to keep
SAV
ACL's in place, depending on your setup.
I know one big SP who uses RADB (http://www.radb.net) to build SAV ACL's
for customers who run BGP with them. Basically the customer has to
register
all routes he announces to BGP when multihomed w/ this vendor. Then they
build an access-list that specifically allows customer ASN's registered
routes from RADB. I think this method scales too.
-J
-- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.netThis message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:48 GMT-3