Brandon@huize.asia commented:

yeah, it is better to compare with getting prefixes from the BGP session. On the other hand, the BGP software only imports the best route into the kernel, which results in the inability to implement asymmetric routing even if loose mode is turned on.

Sometimes it doesn't work if I set rp_filter=2.

Brandon Zhi

HUIZE LTD
www.huize.asia | www.ixp.su | Twitter
!https://ci3.googleusercontent.com/mail-sig/AIorK4w5mVhfW4gNpNNG4wjzSr6YXLPGstLI3_79RkgqnXaG2nuFEB1nkGeXOqUOO3ma96TcEVR3iaA!

This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.

On Fri, 15 Sept 2023 at 17:16, Verschuren, Antoin <averschuren@libertyglobal.com> wrote:

> Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.

Why not use bgpq4 or similar to generate the prefix-filters from IRR data? Works like a charm for prefix filter lists < 5000 aggregated prefixes per AS as long as your peers maintain their IRR data (which is a MANRS requirement 😉).

Additional benefit is you can use the same prefix filter lists for route filtering and supports multiple router vendors.

Kind regards,

Antoin Verschuren
Senior Manager Network Security

M + 31 6 15682664

Liberty Global Technology Services B.V.

Boeing Avenue 53

1119 PE Schiphol-Rijk

The Netherlands

www.libertyglobal.com

From: Manrs-community <manrs-community-bounces@elists.manrs.org> On Behalf Of Brandon Zhi
Sent: Thursday 14 September 2023 14:30
To: Manrs-community@elists.manrs.org
Subject: [manrs-community] Implementation of Anti-Spoofing and Asymmetric Routing on Linux Routers.

Hi guys,

We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.

To disable source address validation, we added the following lines to the /etc/sysctl.conf file:

echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf

However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:

10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP
10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP
10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0
10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP
10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0
10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP
10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP
10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP
10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP
10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP

The solutions I can think of are as follows:

Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.

Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).

However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?

Thanks,

Brandon Zhi

HUIZE LTD

www.huize.asia | www.ixp.su | Twitter

This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.

–
Manrs-community mailing list
Manrs-community@elists.manrs.org
https://elists.manrs.org/mailman/listinfo/manrs-community