[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Ingress Filtering for Multihomed Networks to BCP

To: iesg@ietf.org
Subject: Re: Last Call: Ingress Filtering for Multihomed Networks to BCP
From: Daniel Senie <dts@senie.com>
Date: Mon, 14 Jul 2003 09:46:28 -0400
Date: Tue, 15 Jul 2003 07:18:54 +0000
Cc: fred@cisco.com, psavola@funet.fi
In-reply-to: <200307092316.TAA28501@ietf.org>

At 07:16 PM 7/9/2003, The IESG wrote:

The IESG has received a request to consider Ingress Filtering
for Multihomed Networks <draft-savola-bcp38-multihoming-update-00.txt>
as a BCP.  This has been reviewed in the IETF but is not the product
of an IETF Working Group.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send any comments to the
iesg@ietf.org or ietf@ietf.org mailing lists by 2003-8-6.

Writing as an author of the to-be-updated document, I have some serious concerns about this document. The information provided is useful to an extent, but centers around issues specific to particular vendor or vendors methodologies of implementation (specifically strict and loose RPF).

My concern is this: It is entirely possible (though with present architectures less optimal) to implement a source address check mechanism in a router that performs the lookups in the RIB, thereby finding whether the egress interface selected is VALID (not necessarily optimal for ingress) for the source IP address in question. That equipment vendors have not chosen to implement such checks is a separate issue. In my opinion a complete RPF implementation would provide such a RIB check.

To be fair, the overhead to properly implement such a complete RPF check in some router vendors' architectures may be difficult. Nevertheless, the impression one gets reading this document is that the methods implemented to-date are as good as can be done.

While this proposed update deals with operational issues, failing to discuss the possibility of RIB-based RPF also fails to raise a technology issue that implementors might find useful and interesting. If we were to explain this possibility, and the technical hurdles to achieving it, there is a chance network operators would enquire with their vendors about the costs to implement.

RFC 2267/2827 recommend the source IP address be verified as valid. Access lists are but one mechanism to achieve that. Automated RPF schemes are certainly of interest in that they leverage the routing system's tables to perform the work. With sufficient light on the issue, I believe network operators would prefer an automated system that checks the proper routing table.

The acknoledgement section, though cute, is inappropriate.

I would be happy to discuss my concerns with the authors of the document, but do not believe the document is ready for publication in its present form.

Daniel Senie

Prev by Date: Re: [IETF57] coach BOF
Next by Date: Re: Last Call: Ingress Filtering for Multihomed Networks to BCP
Previous by thread: [IETF57] coach BOF
Next by thread: Re: Last Call: Ingress Filtering for Multihomed Networks to BCP
Index(es):
- Date
- Thread