nanog mailing list archives
Re: Who does source address validation? (was Re: what's that smell?)
From: Jared Mauch <jared () puck Nether net>
Date: Tue, 8 Oct 2002 12:15:05 -0400
On Tue, Oct 08, 2002 at 12:09:56PM -0400, Jeff Aitken wrote:
On Tue, Oct 08, 2002 at 11:49:41AM -0400, Jared Mauch wrote:Of course, this is the IP RIB and may not include all the potential paths in the BGP Adj-RIBs-In, right? As such, you've still got the potential for asymmetric routing to break things.No, this is "if i have a path in fib" back to this source, transmit else drop;Unless I'm missing something, that's what he said; fib == loc-rib for the purposes of this discussion, and loc-rib is built from the various adj-ribs-in.
Correct, but it is not doing a check to see if it's returnable via the interface it came in, just if it's returnable at all. As the fib/rib is built off of the adj-rib-in (minus filtering and local policy), and the check on the cisco validates against the CEF (fib) table on the Linecard (or centralized CPU in the case of non-[fully-]distributed platforms) i wanted to clarify the check that is performed.
That said, I'm curious to know how asymmetric routing can break this. As long as someone is sending (and you are installing) a prefix that includes the source address this check will pass. If you don't have a route back to the source at all, that isn't asymmetric routing, it's network partitioning, assuming the source is legitimate.
Exactly. If I can't reach you, I don't want to have my hosts or routers spend more time than is necessary dealing with your requests. - Jared -- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- <Possible follow-ups>
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jeff Aitken (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Valdis . Kletnieks (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Jared Mauch (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Iljitsch van Beijnum (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Danny McPherson (Oct 08)
- Re: Who does source address validation? (was Re: what's that smell?) Stephen J. Wilcox (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) Joe Abley (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) David Schwartz (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) Stephen Stuart (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) alex (Oct 09)
- Re: Who does source address validation? (was Re: what's that smell?) Joe Abley (Oct 09)