[127257] in North American Network Operators' Group
Re: Todd Underwood was a little late
daemon@ATHENA.MIT.EDU (William Herrin)
Fri Jun 18 11:28:53 2010
In-Reply-To: <4C1B72E1.8050104@ipv6canada.com>
From: William Herrin <bill@herrin.us>
Date: Fri, 18 Jun 2010 11:27:57 -0400
To: Steve Bertrand <steve@ipv6canada.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Jun 18, 2010 at 9:21 AM, Steve Bertrand <steve@ipv6canada.com> wrote:
> On 2010.06.18 09:06, William Herrin wrote:
>> On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve@ipv6canada.com> wrote:
>
>> I'm not sure what that accomplishes. It doesn't close any doors. With
>> loose-mode RPF he can still forge packets from any address actually in
>> use.
>
> What it does, is prevents packets with the illegal IP address from
> actually being delivered to the intended destination within your network
> preserving some (perhaps a very small amount) of bandwidth/router resources.
Right, but to save that fractional bit of bandwidth you pay for an
extra TCAM or radix tree hit impacting every single packet entering
your system on your very expensive upstream border routers -- a
significant reduction in your hardware's capacity.
I get strict RPF - if you can guarantee symmetric routing (which you
often can in single-homed scenarios) it offers a meaningful
improvement in your network's security without configuration
management challenges at the cost of extra processing. But the
cost/benefit to loose RPF doesn't seem to come close to adding up in
any scenario that occurs to me.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
