Hello,

What is an IP address?

Best Regards.

Alperen T. AYDIN
C-Level Executive

T: 0850 888 2 507
F: 0242 922 0 725
E: info@kapteyan.com.tr

Kapteyan Bilişim Teknolojileri AŞ
Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106
Muratpaşa / ANTALYA

www.kapteyan.com.tr


On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.ac> wrote:

Hi

Using x86 routers and Mellanox switches running Debian 12 and FRR 9.

In both cases we disable rp_filter.

On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.

On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).

You could probably use tc in both cases.

--
Regards,
Joe

Atomic Access - we make fibre epic!
www.atomicaccess.co.za - 021 300 5046



<Atomic-Logo.png>



"The new needs friends." -- Anton Ego
www.facebook.com/AtomicAccess
www.instagram.com/AtomicAccess




On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:

Hi guys,

We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.

To disable source address validation, we added the following lines to the /etc/sysctl.conf file:

echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf

However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:

10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP
10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP
10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0
10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP
10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0
10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP
10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP
10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP
10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP
10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP

The solutions I can think of are as follows:

Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.

Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).

However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?

Thanks,
Brandon Zhi
HUIZE LTD
www.huize.asia | www.ixp.su | Twitter

This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
--
Manrs-community mailing list
Manrs-community@elists.manrs.org
https://elists.manrs.org/mailman/listinfo/manrs-community

--
Manrs-community mailing list
Manrs-community@elists.manrs.org
https://elists.manrs.org/mailman/listinfo/manrs-community