[17686] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: I didn't make it up to the microphone quick enough...

daemon@ATHENA.MIT.EDU (Craig A. Huegen)
Tue Jun 9 10:31:26 1998

Date: Tue, 9 Jun 1998 07:24:54 -0700
From: "Craig A. Huegen" <chuegen@quadrunner.com>
To: Alex Rubenstein <alex@nac.net>, nanog@merit.edu, chuegen@quadrunner.com
In-Reply-To: <Pine.BSF.3.96.980609101219.7678H-100000@iago.nac.net>; from Alex Rubenstein on Tue, Jun 09, 1998 at 10:16:10AM -0400

On Tue, Jun 09, 1998 at 10:16:10AM -0400, Alex Rubenstein wrote:

==>I have a question about the ip reverse-path verification. Obviously, it
==>won't work very well in asymetric multi-homed environment. But, the
==>usefullness could be there (even limitedly) if you could at least filter
==>packets that have source address which does not exist in the routing table
==>_at all_ (irregardless of ingress or egress interface). 
==>
==>Is this something that could be implemented easily?

It would be another limited-functionality implementation -- it would work,
but there are some cases under which it breaks --

consider the case where everything is summarized to default, or you only
feed a default to edge devices that don't need the full table.

Now, that wouldn't work in a smurf case because the source address *does*
exist -- it's your target.  It would help those cases where people are
hit with, say, boink/bonk/etc.

/cah

home help back first fref pref prev next nref lref last post