[31553] in North American Network Operators' Group
Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
daemon@ATHENA.MIT.EDU (James A. T. Rice)
Thu Sep 28 09:51:47 2000
Date: Thu, 28 Sep 2000 14:49:26 +0100 (BST)
From: "James A. T. Rice" <James_R-nanog@jump.org.uk>
To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.21.0009251518330.21555-100000@mesa.bbnplanet.com>
Message-ID: <Pine.BSO.4.21.0009281431250.21447-100000@marvin.jump.org.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Wow, I wonder what cisco would do with my wish list:
ip verify unicast reverse-exists
i.e. only accept the packet on this interface if there is a route back to
the source, *not necessarily on the same interface*..
This should be safe to use on all interfaces and could use the existing
CEF FIB, and might catch a lot of spoofed packets on a good day.
ip verify unicast destination-advertised
This would check the destination address on any packet coming into an
interface, and drop it if a route to that destination WASNT advertised out
of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef
tables, cisco would need to write an advertised-table for each
interface. Again this should be safe to use on almost any interface.
Regards
James
On Mon, 25 Sep 2000, Tony Tauber wrote:
> I was the one who asked for something like it and a friendly
> developer coded it up nice and quickly.
