Re: Who does source address validation? (was Re: what's that smell?)

[Jared Mauch <jared () puck Nether net>]

On Tue, Oct 08, 2002 at 12:09:56PM -0400, Jeff Aitken wrote:
> On Tue, Oct 08, 2002 at 11:49:41AM -0400, Jared Mauch wrote:
> > > Of course, this is the IP RIB and may not include all the 
> > > potential paths in the BGP Adj-RIBs-In, right?  As such, 
> > > you've still got the potential for asymmetric routing to 
> > > break things.
> >
> >     No, this is "if i have a path in fib" back to this source,
> > transmit else drop;
>
> Unless I'm missing something, that's what he said; fib == loc-rib
> for the purposes of this discussion, and loc-rib is built from the
> various adj-ribs-in.

        Correct, but it is not doing a check to see if it's returnable
via the interface it came in, just if it's returnable at all.

        As the fib/rib is built off of the adj-rib-in (minus filtering
and local policy), and the check on the cisco validates against
the CEF (fib) table on the Linecard (or centralized CPU in the
case of non-[fully-]distributed platforms) i wanted to clarify the
check that is performed.

> That said, I'm curious to know how asymmetric routing can break
> this.  As long as someone is sending (and you are installing) a
> prefix that includes the source address this check will pass. 
> If you don't have a route back to the source at all, that isn't
> asymmetric routing, it's network partitioning, assuming the source
> is legitimate.

        Exactly.  If I can't reach you, I don't want to
have my hosts or routers spend more time than is necessary
dealing with your requests.

        - Jared
-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.