—–––—–—–––—––—
Reply above this line.

View your request in our Service Desk: SXINFO-1067 · This is shared with huize.asia, DE-CIX, swissix.ch, Customer Service Bot, joe@atomic.ac, Brandon@huize.asia, and 3 other people.

Brandon@huize.asia commented:

Hi joe,

We also provide IP Transit and we have our iBGP session between each node. If we only allowed our own prefixes range, iBGP would not work.

Best regards,

Brandon Zhi

HUIZE LTD
www.huize.asia | www.ixp.su | Twitter
!https://ci3.googleusercontent.com/mail-sig/AIorK4w5mVhfW4gNpNNG4wjzSr6YXLPGstLI3_79RkgqnXaG2nuFEB1nkGeXOqUOO3ma96TcEVR3iaA!

This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.

On Tue, 26 Sept 2023 at 00:18, Joe Botha <joe@atomic.acmail_small.gif> wrote:

Hi

Why do you need to use BGP? You know your own prefixes right?

All traffic leaving your network must have source address in your prefix ranges.


Regards,
Joe

Atomic Access - we make fibre epic!
www.atomicaccess.co.za - 021 300 5046

"The new needs friends." – Anton Ego
www.facebook.com/AtomicAccess
www.instagram.com/AtomicAccess

> On 25 Sep 2023, at 18:09, Brandon Zhi <Brandon@huize.asiamail_small.gif> wrote:
>
> Hi all,
>
> Thank you for your suggestions. I have been studying how to add the prefixes received from BGP to tc rules to whitelist them.
>
> At present, I have not found any relevant tutorials. It would be better if there were relevant tutorials.
>
> Best,
> Brandon Zhi
> HUIZE LTD
> www.huize.asia | www.ixp.su | Twitter
>
> This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
>
>
> On Fri, 15 Sept 2023 at 21:36, Kapteyan Bilişim Teknolojileri AŞ <info@kapteyan.com.trmail_small.gif> wrote:
> Hello,
>
> What is an IP address?
> —
> Best Regards.
> Alperen T. AYDIN
> C-Level Executive
> T: 0850 888 2 507
> F: 0242 922 0 725
> E: info@kapteyan.com.trmail_small.gif
> Kapteyan Bilişim Teknolojileri AŞ
> Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106
> Muratpaşa / ANTALYA
> www.kapteyan.com.tr
>
>> On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.acmail_small.gif> wrote:
>>
>> Hi
>>
>> Using x86 routers and Mellanox switches running Debian 12 and FRR 9.
>>
>> In both cases we disable rp_filter.
>>
>> On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.
>>
>> On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).
>>
>> You could probably use tc in both cases.
>>
>> –
>> Regards,
>> Joe
>>
>> Atomic Access - we make fibre epic!
>> www.atomicaccess.co.za - 021 300 5046
>>
>>
>>
>> <Atomic-Logo.png>
>>
>>
>>
>> "The new needs friends." – Anton Ego
>> www.facebook.com/AtomicAccess
>> www.instagram.com/AtomicAccess
>>
>>
>>
>>
>>> On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asiamail_small.gif> wrote:
>>>
>>> Hi guys,
>>>
>>> We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
>>>
>>> To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
>>>
>>> echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf
>>> echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
>>>
>>> However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
>>>
>>> 10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP
>>> 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP
>>> 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0
>>> 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP
>>> 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0
>>> 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP
>>> 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP
>>> 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP
>>> 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP
>>> 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
>>>
>>> The solutions I can think of are as follows:
>>>
>>> Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
>>>
>>> Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
>>>
>>> However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
>>>
>>> Thanks,
>>> Brandon Zhi
>>> HUIZE LTD
>>> www.huize.asia | www.ixp.su | Twitter
>>>
>>> This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
>>> –
>>> Manrs-community mailing list
>>> Manrs-community@elists.manrs.orgmail_small.gif
>>> https://elists.manrs.org/mailman/listinfo/manrs-community
>>
>> –
>> Manrs-community mailing list
>> Manrs-community@elists.manrs.orgmail_small.gif
>> https://elists.manrs.org/mailman/listinfo/manrs-community
>
> –
> Manrs-community mailing list
> Manrs-community@elists.manrs.orgmail_small.gif
> https://elists.manrs.org/mailman/listinfo/manrs-community


Manrs-community mailing list
Manrs-community@elists.manrs.org
https://elists.manrs.org/mailman/listinfo/manrs-community

--
SwissIX Internet Exchange

Badenerstrasse 569
CH-8048 Zürich / Switzerland
Technical Helpdesk contact 24/7: support@swissix.ch / +41 (0)44 330 70 90
Commercial Contact: info@swissix.ch
VAT-ID: CHE-110.460.993 MWST