Packet Filtering vs. Routing Filtering Packet filtering –Applied to network layer packets being forwarded –Based on IP and transport header usually –Out of scope of this document Routing filtering –Applied to routing packet being sent or received –Based on routing protocol along with other protocols –Fit in the scope of this document
Filters for External Routing Protocols Current implementation –Applied to both sent and received routing packets on per- interface basis –Outbound Route Filter (ORF), whether and which ORF, on per- interface basis –Limit the scope of route redistribution between different routing protocols Filtering Criteria –Specific route prefixes –Maximum length of route prefixes –Maximum number of route prefixes received –AS_PATH –BGP community and extended community
Filters for IGP Areas IGP requires same view of the topology within an area –Route should be flooded unchanged –Infeasible to implement filtering within an area Filtering between IGP areas –Router may provide the option to filter routing between IGP areas –Caution: the routing filtering may results in some address unreachable
Filters by TTL Accept packets from only immediate neighbor –TTL spoofing is supposed impossible –Most routing packets originate from immediate neighbor –TTL is 255 if the neighbor sets the default 255 Note: not applicable to Multi-hop IBGP
Route Flap Dampening Route flap is bad –How about route flap dampening? Configurable –Timer –Could be turned off »http://www.ripe.net/ripe/docs/ripe-378.html
Routing Authentication Key must be configurable on router System transition from one key to another based on system time Stronger algorithms than MD5 –Rescorla-Bellovin analysis Preferable key distribution/update mechanism Note: current routing protocol specification (standard track) on authentication is too weak to meet security requirement
What is the next step? Adopted as a working group document?