[107699] in North American Network Operators' Group
Re: an effect of ignoring BCP38
daemon@ATHENA.MIT.EDU (Pekka Savola)
Thu Sep 11 09:33:17 2008
Date: Thu, 11 Sep 2008 16:32:57 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: Jo Rhett <jrhett@netconsonance.com>
In-Reply-To: <50C358B1-45AB-487E-A628-62230FD0E537@netconsonance.com>
Cc: bmanning@vacation.karoshi.com, nanog@merit.edu, k claffy <kc@caida.org>
Errors-To: nanog-bounces@nanog.org
On Thu, 11 Sep 2008, Jo Rhett wrote:
>> [Pekka:]
>> Loose mode URPF is [..] (IMHO) pretty much waste of time and is confusing
>> the discussion about real spoofing protection. The added protection
>> compared to ACLs that drop private and possibly bogons is not that big and
>> it causes transient losses when the routing tables are changing.
>
> I disagree. But I will say that if everyone would apply strict mode or ACLs
> to their end point interfaces, this would likely make most of the loose mode
> irrelevant.
FWIW, based on off-list discussion, Jo's disagreement seems to stem
from a misunderstanding of how loose uRPF works (he didn't know it
accepts any packet that has a route in the routing table).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
