If, I say I have 4 imaginary routers, all configured with 4 different AS no# and configured to run BGP in a series configuration. Also, say that all these 4 routers have routes to public addresses and thus can go to Internet. Also, assuming that I do not have any ingress or egress filtering based on source IP address on all these 4 routers.
So, imagine that if I have a host configured with a RFC1918 (say 10.3.0.35/24) IP addressing and is attached to one of these 4 BGP routers.
The question here is that if I were to ping, say to Cisco.com. Can I say that the PING ICMP packets will be able to reach Cisco.com public IP address, but has not way to come back due to the fact that all the 4 BGP and other intermediate routers has no routes to a private subnet of 10.3.0.0.24 ? Again, the assumption here is that there is no whatsoever of any ingress or egress filtering at all the intermediate routers that drops packets (based on source IP) from the host to Cisco.com.
What I am trying to say is that BGP routing protocol is based on destination IP address, despite the souce IP is private and hence as long as the destination IP is valid and available in the routing table, the router will route the packets, right ?
If my statement is wrong, then what is the thing/feature from BGP that can drop a packet with an invalid source IP of 10.3.0.35, despite the fact that there is not any ingress and egress flter that drops 10.3.0.35-source IP packets ?
Lacking configuration of filters or unicast RPF checks to the contrary, yes, traffic sourced from your RFC1918 space will reach its destination, but it cannot be returned due to lack of a return path.
There exists a feature called "Unicast RPF", invoked on an interface with "ip verify unicast reverse-path", which requires that any traffic that arrives on that interface have a source address with a return path down that same interface, or it is dropped. This is a quick and flexible way to set up anti-spoofing and bogon (like RFC1918) filters, in addition, some platforms can do it in hardware.
This isn't part of BGP really but can use routes from BGP (or any IGP) to make its RPF checks. Search CCO for documentation on Unicast RPF.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...