Hi all, Thank you for your suggestions. I have been studying how to add the prefixes received from BGP to tc rules to whitelist them. At present, I have not found any relevant tutorials. It would be better if there were relevant tutorials. Best, *Brandon Zhi* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Fri, 15 Sept 2023 at 21:36, Kapteyan Bilişim Teknolojileri AŞ < info@kapteyan.com.tr> wrote:
Hello,
What is an IP address?
—
Best Regards.
*Alperen T. AYDIN* C-Level Executive
T: 0850 888 2 507 F: 0242 922 0 725 E: info@kapteyan.com.tr
*Kapteyan Bilişim Teknolojileri AŞ* Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106 Muratpaşa / ANTALYA
*www.kapteyan.com.tr <http://www.kapteyan.com.tr/>*
* <https://twitter.com/kapteyancomtr> <https://www.facebook.com/kapteyancomtr/> <https://instagram.com/kapteyanteknoloji>*
On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.ac> wrote:
Hi
Using x86 routers and Mellanox switches running Debian 12 and FRR 9.
In both cases we disable rp_filter.
On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.
On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).
You could probably use tc in both cases.
-- Regards, Joe
Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046
<Atomic-Logo.png>
"The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community