Destination-Side Source Address Validation

justmema · October 21, 2020, 6:18pm

Hello,
i have a question regarding how to successfully implement DSAV in our case. DSAV (destination-side source address validation) is the filtering of spoofed incoming traffic at the network border.

We are using BGP with two uplink providers. Each uplink is connected to Mikrotik via SFP, they then connect to aggregation Mikrotik.
Schema:

ISP1 BGP (Mikrotik)
|
Aggregation (Mikrotik)
|
ISP2 BGP (Mikrotik)

I am using OSPF to distribute data between.

I have tried to create an input firewall rule to drop all the packets arriving at ISP1 BGP Mikrotik via SFP interface with source IP of our public IP class, and same for the ISP2 BGP Mikrotik but it still goes thru.

Thank you in advance for help!

justmema · November 23, 2020, 3:18pm

Guys, how do you solve this potential security issue?

jvanhambelgium · November 23, 2020, 3:56pm

You must use the FORWARD chain, you want to DROP effectively packets coming in SOURCED with your own public prefixes destined for some hosts behind the Mikrotik.
The INPUT chain is for traffic directed at the Mikrotik itself, this is not the case here.

justmema · November 24, 2020, 10:41am

Thanks, that was it. I used INPUT instead of FORWARD chain