nanog mailing list archives
Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Thu, 28 Sep 2000 10:49:47 -0400
At 02:49 PM 9/28/2000 +0100, James A. T. Rice wrote: >ip verify unicast reverse-exists > >i.e. only accept the packet on this interface if there is a route back to >the source, *not necessarily on the same interface*.. >This should be safe to use on all interfaces and could use the existing >CEF FIB, and might catch a lot of spoofed packets on a good day. That would only stop Bogons on most core routers (full tables, right?). >ip verify unicast destination-advertised > >This would check the destination address on any packet coming into an >interface, and drop it if a route to that destination WASNT advertised out >of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef >tables, cisco would need to write an advertised-table for each >interface. Again this should be safe to use on almost any interface. Hrmmm.... That would be nice....But there are other ways to do this. They may or may not be useful / applicable in your environment, but it can be done without this feature.
>James TTFN, patrick
Current thread:
- Re: netscan.org update, (continued)
- Re: netscan.org update Bennett Todd (Sep 24)
- Re: netscan.org update Greg A. Woods (Sep 25)
- Re: netscan.org update Bennett Todd (Sep 24)
- Re: netscan.org update John Fraizer (Sep 25)
- RE: netscan.org update rdobbins (Sep 25)
- RE: netscan.org update John Fraizer (Sep 25)
- Re: netscan.org update Bradley Dunn (Sep 25)
- Re: netscan.org update Charles Sprickman (Sep 25)
- Re: netscan.org update Roland Dobbins (Sep 25)
- CEF RPF check w/ACLs (was: Re: netscan.org update) Tony Tauber (Sep 25)
- Re: CEF RPF check w/ACLs (was: Re: netscan.org update) James A. T. Rice (Sep 28)
- Message not available
- Re: CEF RPF check w/ACLs (was: Re: netscan.org update) Patrick W. Gilmore (Sep 28)
- Re: CEF RPF check w/ACLs (was: Re: netscan.org update) James A. T. Rice (Sep 28)
- RE: netscan.org update John Fraizer (Sep 25)
- Re: netscan.org update Roland Dobbins (Sep 25)
- RE: netscan.org update John Fraizer (Sep 26)
- Re: netscan.org update Troy Davis (Sep 26)
- RE: netscan.org update John Fraizer (Sep 26)