RE: NSPs filter?

From: Hank Nussbacher (no email)
Date: Mon Aug 05 2002 - 14:46:56 EDT

On Mon, 5 Aug 2002, Barry Raveendran Greene wrote:

> But, what if you could "strict mode" packet filter on the ISP-ISP side? Lets
> say there was a dynamic uRPF filter that checked the source addresses
> against the eBGP routes coming into a link. In other words, if the source
> address from an ISP does not match the eBGP prefixes coming across from the
> peer, the packet would drop. So if some /8 prefixes are filtered on the eBGP
> side, they would get dropped on the ISP-ISP peering interface. For example,
> if I only send routes from AS X, then any packet whose source address is
> outside of AS X (say from AS Y) would not pass the uRPF check - resulting in
> a drop. Since this is based on the dynamics of the eBGP prefixes coming
> across the peering session, it would allow a "strict mode like" uRPF packet
> filtering on the ISP-ISP edge (with all the asymmetry found on the ISP-ISP
> edge).

How would this work for BGP Conditional Advertisement as per page 118 of
"Cisco ISP Essentials?"


> The question is whether this is something people would want as an option. A
> uRPF mode that would enforce a peering agreement with dynamic packet
> filtering (dynamic is based on the eBGP advertisements that get throughthe
> peering filter).
> Barry

