nanog mailing list archives
Re: unicast RPF for peers viable?
From: Stephen Griffin <stephen.griffin () rcn com>
Date: Sun, 5 May 2002 20:18:57 -0400 (EDT)
In the referenced message, Iljitsch van Beijnum said:
So what is the collective wisdom on the NANOG list? Is uRPF on peering interfaces a viable option and if it breaks esoteric customer configurations, too bad; or is it something that should be discouraged because it breaks legitimate customer needs?
I believe that every little bit helps. If some amount of collateral damage for odd configs is too much for you, you can still do the below. This should only break the most egregiously broken setups (sources in space which is entirely unreachable.) The most permissive configuration: loose-check RPF (allow if any path available) combined with: interface acls (in and outbound) deny src or dst in rfc1918 deny src or dst in class e !supposedly, some mcast apps set both src and dst to group !so permit permit src _and_ dst in class d !nothing else should have source in class d deny src in class d the interface acls aren't needed assuming you have no active routes for RFC1918, class d, or class e. IMHO, they are still a good idea anyways, esp. on _outbound_ to reduce crap sent to others. As with all things, every little bit helps. Filter what you can, contribute to the overall improvement of the net. Become a White Hat respected by all, or do nothing and become a Black Hat reviled by millions of small children.
Current thread:
- RE: Effective ways to deal with DDoS attacks?, (continued)
- RE: Effective ways to deal with DDoS attacks? Barry Raveendran Greene (May 05)
- unicast RPF for peers viable? Iljitsch van Beijnum (May 05)
- Re: unicast RPF for peers viable? Richard A Steenbergen (May 05)
- RE: unicast RPF for peers viable? Barry Raveendran Greene (May 05)
- uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Valdis . Kletnieks (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: unicast RPF for peers viable? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 05)
- Re: Effective ways to deal with DDoS attacks? Richard A Steenbergen (May 05)
- Re: Effective ways to deal with DDoS attacks? Steven W. Raymond (May 06)
- Re: Effective ways to deal with DDoS attacks? Ralph Doncaster (May 06)
- Re: Effective ways to deal with DDoS attacks? Valdis . Kletnieks (May 06)
- Re: Effective ways to deal with DDoS attacks? Ralph Doncaster (May 06)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 06)