nanog mailing list archives
Re: Who does source address validation? (was Re: what's that smell?)
From: Danny McPherson <danny () tcb net>
Date: Tue, 08 Oct 2002 09:34:19 -0600
install this on all your internal, upstream, downstream interfaces (cisco router) [cef required]: "ip verify unicast source reachable-via any" This will drop all packets on the interface that do not have a way to return them in your routing table.
Of course, this is the IP RIB and may not include all the potential paths in the BGP Adj-RIBs-In, right? As such, you've still got the potential for asymmetric routing to break things.
Juniper has a somewhat viable solution to the 100% source validation for bgp customers. they will consider non-best paths in their unicast-rpf check on the customer interface. This means that even if 35.0.0.0/8 is best returned via your peer instead of via the provider the packet came in, but they are advertizing the prefix to you, you will not drop the packet.
What's a "bgp customer"? Can they support 500K+ uRPF entries here? -danny
Current thread:
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- <Possible follow-ups>
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jeff Aitken (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Valdis . Kletnieks (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Iljitsch van Beijnum (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Stephen J. Wilcox (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) Joe Abley (Oct 09)