(Loose) uRPF vs. non-announced IXP space
Daniel Roesen
dr at cluenet.de
Wed Feb 8 18:19:05 CET 2012
On Wed, Feb 08, 2012 at 04:20:48PM +0000, Phil Mayers wrote:
> On 08/02/12 15:57, Daniel Roesen wrote:
>
>>
>>> Of course it's a SHOULD, so it's reasonable for an override option:
>>>
>>> ipv6 icmp source-address LoopbackX
>>>
>>> ...to exist. But not to be the default.
>>
>> ... which doesn't fix the underlying issue. Who says that routers do
>> have loopbacks within a globally advertised prefix?
>
> I don't disagree. Sourcing from the loopback was not my suggestion; I was
> responding to the previous question.
Yeah, I was more thinking out loud then anything else. The uRPF issue
was the reason why we (INXS) decided to advertise our IXP LAN prefixes
back when we got them.
> I'm no expert on the design and operation of IXP networks, so I can't
> comment on the correct solution - the thread that Bernhard linked to in his
> 2nd message seems to list a few options, none of which were universally
> liked.
I fear there is no universal good answer to that problem without
drawbacks.
- Advertise the IXP prefix - be possible target for DDoS.
- Don't advertise it - run into uRPF blackholing of ICMP responses.
- modify uRPF check to ignore ICMP - still possible target for DDoS
Options 2+3 do sound like clear cases of TANSTAAFL.
Best regards,
Daniel
--
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0
More information about the ipv6-ops
mailing list