[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: [RRG] Meeting slot at IETF64

To: "'Pekka Savola'" <pekkas@netcore.fi>, "'xuke'" <xuke@mail.tsinghua.edu.cn>
Subject: Re: Re: [RRG] Meeting slot at IETF64
From: "Wang Lijun" <wlj@csnet1.cs.tsinghua.edu.cn>
Date: Thu, 15 Sep 2005 23:25:23 +0800
Cc: "'Avri Doria'" <avri@psg.com>, "'rrg'" <rrg@psg.com>
In-reply-to: <Pine.LNX.4.61.0509150805420.11004@netcore.fi>

That's right the uRPF can be used between ISPs, however strict RPF isn't
apporiate 
to be used for the routing asymmetry and possible RPF and loose RPF may let
some spoofed packets evade because the connection of Internet is becoming
more
complicated.

Making Ingress filtering take effect requires at least a large proportional
networks to 
implement it, but that is a little ideal. Hence, it is pratical implement
packets filtering 
on some core ISPs. Strict RPF is disabled by routing asymmetry and possible
RPF is 
not accurate, so I think more precise information should provide to support
packets 
filtering.

On Wed, 14 Sep 2005, xuke wrote:
>> Have you looked at unicast RPF (see RFC 3704, RFC 2827) for IP 
>> spoofing prevention?  You should focus on describing the relation of 
>> the proposal to uRPF.
>
> Yes, I knew uRPF, actually our proposal doesn't focus on the uRPF 
> itself, our proposal is to solve following problem, core routers how 
> to generate the RPF list or table from BGP routing table. We think in 
> order to support real IP address access, core routers, especially core 
> routers between different ISP also need to filter incoming packets. 
> You can find more details in our paper 
> http://netlab.cs.tsinghua.edu.cn/~wlj/publications/BGPRouteSelectionNo
> tice_ICOIN.pdf

You can also use uRPF at peering links between ISPs as it is -- the use of
uRPF is not restricted to just edge networks.

Obviously that will require that the other ISP is advertising all its
prefixes to you, otherwise you'll drop the asymmetric traffic.  Check out
Feasible Path RPF in RFC3704.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--
to unsubscribe send a message to rrg-request@psg.com with the word
'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- Re: Re: [RRG] Meeting slot at IETF64
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: Re: [RRG] Meeting slot at IETF64
Next by Date: RE: Re: [RRG] Meeting slot at IETF64
Previous by thread: Re: Re: [RRG] Meeting slot at IETF64
Index(es):
- Date
- Thread