nanog mailing list archives
Re: Cisco - ip verify unicast reverse-path
From: Paul Ferguson <ferguson () cisco com>
Date: Sat, 12 Feb 2000 18:35:50 -0500
Tony, At 02:54 PM 02/12/2000 -0800, trall () almaden ibm com wrote:
This command has been mentioned numerous times during the DDoS discussion. I, for one, don't have a good idea of how it works. Perhaps someone can enlighten us?
The "ip verify unicast reverse-path" interface command (also known as Unicast RPF, or Reverse-Path Forwarding check) requires CEF to be in used in order to use this feature. This is because CEF separates the RIB and FIB, and the FIB check is used that ensure that packets received on an interface with this feature enabled are not forwarded unless a valid path on the same interface exists back to the originating source. See also: "Essential IOS" - Features Every ISP Should Consider http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip and Craig Huegen's very useful web page on minimizing the effects of DoS attacks: http://users.quadrunner.com/chuegen/smurf.cgi
Another issue is why has Cisco made this such a stealth feature?
It's not a stealth feature -- it's just not well documented yet. It was only introduced in 11.1(17)CC release image, which is a specialized service provider code base. We are working to get it documented in the traditional ways as it gets integrated into mainline code releases. - paul
Current thread:
- Cisco - ip verify unicast reverse-path trall (Feb 12)
- Re: Cisco - ip verify unicast reverse-path Paul Ferguson (Feb 12)
- Re: Cisco - ip verify unicast reverse-path Craig A. Huegen (Feb 12)
- Message not available
- Re: Cisco - ip verify unicast reverse-path Paul Ferguson (Feb 14)
- Re: Cisco - ip verify unicast reverse-path Paul Ferguson (Feb 12)
- Re: Cisco - ip verify unicast reverse-path Mark Prior (Feb 13)
- <Possible follow-ups>
- RE: Cisco - ip verify unicast reverse-path Paul Ferguson (Feb 12)
- Message not available
- Message not available
- RE: Cisco - ip verify unicast reverse-path Paul Ferguson (Feb 13)
- Message not available