nanog mailing list archives

Re: Source address validation (was Re: UUNet Offer New Protection

From: Paul Vixie <vixie () vix com>
Date: 07 Mar 2004 22:15:12 +0000


sean () donelan com (Sean Donelan) writes:

SAV doesn't tell you where the packets came from.  At best SAV tells you
where the packets didn't come from.


...which is incredibly more valuable than not knowing anything at all.

You would be wrong.  There are networks that have deployed SAV/uRPF.

They saw no _net_ savings.

In the real world, it costs more to deploy and maintain SAV/uRPF.


in the therefore-unreal world i live in, the ability to tell a GWF ("goober
with firewall") that the incident report they sent our noc could not possibly
have come from here, is a net cost savings over having to prove it every time.

Have you noticed this thread is full of people who don't run large
networks saying other people who do run networks should deploy SAV/uRPF.


distinguishingly, i do help run a network, and i'm not limiting my accusation
("you guys are slackers") to uPRF-free networks of any particular size ("big").
-- 
Paul Vixie

Current thread:

Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS), (continued)
- - - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Laurence F. Sheldon, Jr. (Mar 06)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 06)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Paul Vixie (Mar 06)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Stephen J. Wilcox (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Avleen Vig (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Stephen J. Wilcox (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) E.B. Dreger (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Paul Vixie (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Sean Donelan (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection E.B. Dreger (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) E.B. Dreger (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Christopher L. Morrow (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) E.B. Dreger (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Steve Francis (Mar 08)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 08)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Steve Francis (Mar 08)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Sean Donelan (Mar 07)
    - Re: Source address validation (was Re: UUNet Offer New Protection Against DDoS) Laurence F. Sheldon, Jr. (Mar 07)

(Thread continues...)