nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CEF RPF check w/ACLs (was: Re: netscan.org update)

From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Thu, 28 Sep 2000 10:49:47 -0400

At 02:49 PM 9/28/2000 +0100, James A. T. Rice wrote:

>ip verify unicast reverse-exists
>
>i.e. only accept the packet on this interface if there is a route back to
>the source, *not necessarily on the same interface*..
>This should be safe to use on all interfaces and could use the existing
>CEF FIB, and might catch a lot of spoofed packets on a good day.

That would only stop Bogons on most core routers (full tables, right?).


>ip verify unicast destination-advertised
>
>This would check the destination address on any packet coming into an
>interface, and drop it if a route to that destination WASNT advertised out
>of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef
>tables, cisco would need to write an advertised-table for each
>interface. Again this should be safe to use on almost any interface.

Hrmmm....  That would be nice....
But there are other ways to do this. They may or may not be useful / applicable in your environment, but it can be done without this feature. 


>James

TTFN,
patrick
Previous By Date Next
Previous By Thread Next

Current thread: