Re: CEF RPF check w/ACLs (was: Re: netscan.org update)

[Danny McPherson <danny () tcb net>]

> One could note that a regular packet-filtering ACL inbound on the
> customer's port could achieve a congruent functionality.
> That's probably true.  In this case, I had a different idea in mind
> when I asked for the feature but this is what came out.


Right, the latter is nothing more than a standard packet filter.
Ideally, on could employ the same policy used for route filtering 
from a peer (perhaps generated via IRR or other similar mechanism) 
to perform source address 'authorization' in the forwarding path.  
Given, the practicality of performing these functions in hardware 
today is, well, interesting....

If this were widely supported and deployed (especially inter-
domain), IP spoofing DoS attacks would largely be a thing of the 
past.  Of course, if prefix filtering and/or ingress packet 
filtering were widely deployed even at the edge, this would 
largely be a thing if the past.

This is one of the things that we plan to discuss during the 
"Service Provider Route Filtering" panel @NANOG.

-danny