[151737] in North American Network Operators' Group
Re: BCP38 Deployment
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Mar 29 19:32:01 2012
Date: Thu, 29 Mar 2012 19:31:26 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Joe Provo <nanog-post@rsuc.gweep.net>
In-Reply-To: <20120329225052.GA79627@gweep.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, 29 Mar 2012, Joe Provo wrote:
> uRFP was a trivial, 0-impact feature on the cisco VXR-based CMTS
> platform. Assert a simple statement in the default config (along
> with 'ips classless' and all your other standard config elements)
uRPF: or as it's now used in ios,
ip verify unicast source reachable-via rx ...
I don't know what it would have to do with ip classless. It requires ip
cef, but so do lots of other "features" including reasonably fast packet
forwarding.
> and job done. It assisted in reducing our abuse desk workload by
> eliminating a class of attacks from us, so the trivial "cost" was
> worth it in opex. ISTR it being on the required feature list for
> additional CMTS evaluations but it has been many years since I
> touched that kit.
uRPF stops your customers from sending forged source address
packets. Since forged source address packets are rarely traced back to
their actual source, I'm not sure how configuring it on your network would
reduce your abuse desk workload at all.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
