My apologies I misunderstood your question. However, isn't ICMP into your connector networks a small thing? I don't think anything catastrophic would happen if someone pinged your router and the return traffic took your primary link. The traceroute packets would only be discarded if your ISP has some sort of RPF enabled, which is rare on an internet link. Even if they were this would not affect traffic from your users or downstreams. I guess you could do filter based forwarding to rectify this behavior, but it seem a little like putting out a match with a firehose.
Jm2c Keegan From: Tore Anderson <t...@linpro.no> To: keegan.hol...@sungard.com Cc: juniper-nsp <juniper-nsp@puck.nether.net>, "Justin M. Streiner" <strei...@cluebyfour.org> Date: 02/06/2009 12:20 PM Subject: Re: [j-nsp] network engineering * keegan.hol...@sungard.com > Direct routes always take precedence over BGP unless it's configured > otherwise so hopefully this address is in your IGP or next hop self is > configured. Also, if you talking only about the directly connected > route used for your peer, wouldn't the return traffic be your fault for > advertising 123.0.0/30 to AS321 and vice versa? The direct routes on the eBGP links are only to 123.0.0.0/30 and 321.0.0.0/30 in my example. What I'm talking about is if someone sends a ping from, say, 111.0.0.1 in AS111 (an AS to which I'm not connected), to 321.0.0.2, and I want to reply to that ping. This is what happens: The ping packet will reach me through the link to AS321 due to the fact that 321.0.0.2 is part of AS321's PA space, I have no control over that. However, when my router is replying to that packet it'll look up the route to 111.0.0.1, find that it's available as an eBGP route (_not_ as a directly connected route) through both AS123 and AS321, and since routes learnt from AS123 has a higher local preference my router will, by default, route the ping reply packet using the route through AS123. Which is in my opinion bad, since the source address of the ping reply is 321.0.0.2, part of AS321's PA space, not my own. I believe the same problem will occur if 111.0.0.1 does a traceroute to somewhere inside my network and the inbound packets come through AS321, the ICMP TTL exceeded-packets will be routed out through AS123 and possibly be discarded. Regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/ _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp