Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
doube0seven
Explorer

Anti-spoofing: Network defined by routes dropping return traffic on interafce that leads to default

Hi all

I wonder if anyone has observed this issue with their security gateways. We have a cluster of 5600 appliances acting as a boundary gateway. This cluster has an interface (lets say eth1) which learns the default route from an upstream Cisco router. The link-net between the router and the eth1 interface on the firewall uses private addressing 10.x.x.x.

I have observed two behaviors which did not make sense to me:

1. Setting the Topology of the eth1 interface as external drops the BGP relation with the router. The IP of the BGP peer is withing the link-net /29 network. Is this because the link-net is using private addresses?

2. We set the topology of eth1 to be "defined by routes" for convenience as the routes are learned dynamically. But Anti-spoofing started dropping the return traffic. Should all traffic be allowed given the default route points tot his interface?

 

Setting the interface as External calculates the topology as this:

Calculated Interface Topology
0.0.0.0 - 9.255.255.255
11.0.0.0 - 13.63.255.255
13.96.0.0 - 13.103.255.255
13.108.0.0 - 19.255.255.255
20.32.0.0 - 20.32.255.255
20.128.0.0 - 20.134.255.255
20.137.0.0 - 20.139.255.255
20.142.0.0 - 20.142.255.255
20.144.0.0 - 20.149.255.255
20.154.0.0 - 20.156.255.255
20.176.0.0 - 20.183.255.255
21.0.0.0 - 23.95.255.255
23.103.0.0 - 23.103.63.255
23.104.0.0 - 40.63.255.255
40.66.128.0 - 40.66.255.255
40.72.0.0 - 40.73.255.255
40.108.32.0 - 40.108.127.255
40.109.0.0 - 40.109.255.255
40.125.128.0 - 40.125.255.255
40.126.64.0 - 40.126.127.255
40.128.0.0 - 51.9.255.255
51.14.0.0 - 51.50.255.255
51.52.0.0 - 51.52.255.255
51.54.0.0 - 51.102.255.255
51.106.0.0 - 51.106.255.255
51.108.0.0 - 51.115.255.255
51.117.0.0 - 51.119.255.255
51.121.0.0 - 51.123.255.255
51.125.0.0 - 51.131.255.255
51.133.0.0 - 51.135.255.255
51.139.0.0 - 51.139.255.255
51.146.0.0 - 52.95.255.255
52.116.0.0 - 52.119.255.255
52.124.0.0 - 52.124.255.255
52.128.0.0 - 52.135.255.255
52.144.0.0 - 52.145.255.255
52.192.0.0 - 52.223.255.255
53.0.0.0 - 64.3.255.255
64.4.64.0 - 65.51.255.255
65.56.0.0 - 66.119.143.255
66.119.160.0 - 68.17.255.255
68.20.0.0 - 68.153.255.255
68.156.0.0 - 68.209.255.255
68.212.0.0 - 68.217.255.255
68.222.0.0 - 70.36.255.255
70.37.192.0 - 70.151.255.255
70.154.0.0 - 70.155.255.255
70.158.0.0 - 72.143.255.255
72.148.0.0 - 72.151.255.255
72.156.0.0 - 74.159.255.255
74.164.0.0 - 74.175.255.255
74.180.0.0 - 74.223.255.255
74.228.0.0 - 74.233.255.255
74.236.0.0 - 74.239.255.255
74.244.0.0 - 74.247.255.255
74.250.0.0 - 94.245.63.255
94.245.128.0 - 98.63.255.255
98.68.0.0 - 98.69.255.255
98.72.0.0 - 102.36.255.255
102.38.0.0 - 102.132.255.255
102.134.0.0 - 104.39.255.255
104.48.0.0 - 104.145.255.255
104.146.32.0 - 104.146.127.255
104.147.0.0 - 104.207.255.255
104.216.0.0 - 108.139.255.255
108.144.0.0 - 111.221.15.255
111.221.32.0 - 111.221.63.255
111.221.128.0 - 116.66.244.65
116.66.244.67 - 116.89.237.139
116.89.237.141 - 126.255.255.255
128.0.0.0 - 128.93.255.255
128.95.0.0 - 131.106.255.255
131.108.0.0 - 131.253.0.255
131.253.2.0 - 131.253.2.255
131.253.4.0 - 131.253.4.255
131.253.7.0 - 131.253.7.255
131.253.9.0 - 131.253.11.255
131.253.16.0 - 131.253.20.255
131.253.48.0 - 131.253.60.255
131.253.64.0 - 131.253.71.255
131.253.76.0 - 131.253.79.255
131.253.96.0 - 131.253.111.255
131.253.124.0 - 131.253.127.255
131.254.0.0 - 132.244.255.255
132.246.0.0 - 134.169.255.255
134.171.0.0 - 135.148.255.255
135.150.0.0 - 137.115.255.255
137.118.0.0 - 137.134.255.255
137.136.0.0 - 138.90.255.255
138.92.0.0 - 138.238.255.255
138.240.0.0 - 147.144.255.255
147.146.0.0 - 147.242.255.255
147.244.0.0 - 148.6.255.255
148.8.0.0 - 150.170.255.255
150.172.0.0 - 155.61.255.255
155.63.0.0 - 157.54.255.255
157.57.0.0 - 157.57.255.255
157.59.0.0 - 158.157.255.255
158.159.0.0 - 159.26.255.255
159.28.0.0 - 163.227.255.255
163.229.0.0 - 167.104.255.255
167.106.0.0 - 167.219.255.255
167.221.0.0 - 168.60.255.255
168.64.0.0 - 169.137.255.255
169.139.0.0 - 170.164.255.255
170.166.0.0 - 172.17.31.255
172.17.33.0 - 191.231.255.255
191.240.0.0 - 192.48.224.255
192.48.226.0 - 192.84.159.255
192.84.162.0 - 192.92.195.255
192.92.197.0 - 192.94.169.132
192.94.169.134 - 192.100.103.255
192.100.132.0 - 192.167.255.255
192.168.128.0 - 192.168.129.255
192.168.133.0 - 192.168.135.255
192.168.140.0 - 192.168.159.255
192.168.192.0 - 192.168.253.255
192.168.254.8 - 192.197.156.255
192.197.158.0 - 193.149.63.255
193.149.96.0 - 193.221.112.255
193.221.114.0 - 194.41.15.255
194.41.32.0 - 194.69.95.255
194.69.128.0 - 195.134.223.255
195.135.0.0 - 198.49.7.255
198.49.9.0 - 198.105.231.255
198.105.236.0 - 198.180.96.255
198.180.98.0 - 198.200.129.255
198.200.131.0 - 198.206.163.255
198.206.165.0 - 199.2.136.255
199.2.138.0 - 199.30.15.255
199.30.32.0 - 199.60.27.255
199.60.29.0 - 199.103.89.255
199.103.92.0 - 199.103.121.255
199.103.123.0 - 199.242.31.255
199.242.56.0 - 202.27.43.255
202.27.44.32 - 202.89.223.255
202.89.232.0 - 204.13.119.255
204.13.128.0 - 204.14.179.255
204.14.181.0 - 204.79.134.255
204.79.136.0 - 204.79.178.255
204.79.181.0 - 204.79.194.255
204.79.196.0 - 204.79.196.255
204.79.198.0 - 204.79.251.255
204.79.253.0 - 204.95.95.255
204.95.112.0 - 204.152.139.255
204.152.142.0 - 204.182.143.255
204.182.145.0 - 204.255.243.255
204.255.246.0 - 206.138.167.255
206.138.176.0 - 206.191.223.255
206.192.0.0 - 207.45.255.255
207.46.32.0 - 207.46.35.255
207.47.0.0 - 207.68.127.255
207.68.192.0 - 208.68.135.255
208.68.144.0 - 208.76.44.255
208.76.47.0 - 208.83.255.255
208.84.5.0 - 209.240.191.255
209.240.224.0 - 213.199.127.255
213.199.192.0 - 216.32.179.255
216.32.184.0 - 216.220.207.255
216.220.224.0 - 223.255.255.255
240.0.0.0 - 255.255.255.254

Address Spoofing Protection: Enabled (Detect Mode) - External Interface

Setting the interfaces as defined by routes calculates the topology as below, even though default route is via this interface:
Calculated Interface Topology
10.204.104.64 - 10.204.104.79

Address Spoofing Protection: Enabled (Detect Mode) - Internal Interface

I'd be keen to know if this is expected behavior and if we have interpreted/utilised this feature in the incorrect way.

Thanks in advance.   

 

 

0 Kudos
1 Reply
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events