edge
Click on the red underlined text to get to the source
...
This document is aimed at ISP and edge network operators who 1) would
like to learn more of ingress filtering ...
... Strict Reverse Path Forwarding is a very reasonable approach in front
of any kind of edge network; in particular, it is far superior to
Ingress Access Lists when the network ...
... network; in particular, it is far superior to
Ingress Access Lists when the network edge is advertising multiple
prefixes using BGP ...
... IP datagrams in one direction and responses from
the other deterministically follow the same path. While this is
common at edge network interfaces to their ISP, it is in no sense
...
... RPF filtering between the primary and secondary edge routers; in
particular, when applied to multihoming to different ISPs ...
... In the case of asymmetric routing and/or multihoming at the edge of
the network, this approach provides a way to relatively easily
...
... Loose Reverse Path Forwarding has problems, however. Since it
sacrifices directionality, it loses the ability to limit an edge
network's traffic ...
... links. However, like Loose RPF, since it
sacrifices directionality, it loses the ability to limit an edge
network's traffic ...
... ISP and the end
user. It's perfectly fine, and recommended, to also perform ingress
filtering at the edges of ISPs where appropriate, at the routers
...
... complete, as described in Section 4.2.
6. Ensure that edge networks only deliver traffic to their ISPs ...
... The use of Loose RPF does not seem like a good choice between the
edge network and the ISP, since it loses the directionality of the
...
... addresses in routing. This will often require the
edge network to use provider-independent prefixes ...
... upstream
to the major transit ISPs. Of necessity, this implies that the edge
network will be of a size and technical competence ...
... operational techniques both work quite well for multihomed or
asymmetric scenarios between the ISP and an edge network.
...
...
This is not a complicated procedure, but requires careful planning
and configuration. For robustness, the edge network may choose to
connect to each of its ISPs ...
... ISP [4][5]. This way the edge routers are configured to first
inspect the source address of a packet destined to an ISP ...
... If such a scenario is applied exhaustively, so that an exit router is
chosen in the edge network for every prefix the network ...
... o Ingress Access Lists require typically manual maintenance, but are
the most bulletproof when done properly; typically, ingress access
lists are best fit between the edge and the ISP when the
configuration is not too dynamic if strict RPF ...
... o Strict RPF check is a very easy and sure way to implement ingress
filtering. It is typically fit between the edge network and the
ISP ...
... be carefully considered before applying it. Especially when applied
by an ISP towards an edge network, there don't seem to be many
reasons why a stricter form of ingress filtering ...
... techniques could almost always be applied between the ISP and
multi-homed edge networks as well.
...