[31563] in North American Network Operators' Group
RE: CEF RPF check w/ACLs (was: Re: netscan.org update)
daemon@ATHENA.MIT.EDU (Segal, Mark)
Thu Sep 28 16:19:05 2000
Message-ID: <716BF3944E54D4118CBC00D0B765EADE405620@phobos.inside.axxent.ca>
From: "Segal, Mark" <Mark.Segal@Corp.Axxent.Ca>
To: "'James A. T. Rice'" <James_R-nanog@jump.org.uk>, nanog@merit.edu
Date: Thu, 28 Sep 2000 16:16:01 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
What a novel idea.. :). That would put all my expect programmers out of
business though.. o well.
If there are any Cisco folks listening.. This just makes sense.
Mark
--
Mark Segal
Director, Network Engineering
Axxent Corp.
Tel: (416)907-2858
> -----Original Message-----
> From: James A. T. Rice [mailto:James_R-nanog@jump.org.uk]
> Sent: Thursday, September 28, 2000 9:49 AM
> To: nanog@merit.edu
> Subject: Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
>
>
>
> Wow, I wonder what cisco would do with my wish list:
>
>
> ip verify unicast reverse-exists
>
> i.e. only accept the packet on this interface if there is a
> route back to
> the source, *not necessarily on the same interface*..
> This should be safe to use on all interfaces and could use
> the existing
> CEF FIB, and might catch a lot of spoofed packets on a good day.
>
>
> ip verify unicast destination-advertised
>
> This would check the destination address on any packet coming into an
> interface, and drop it if a route to that destination WASNT
> advertised out
> of that interface - /ideal/ for NAPs & IX's. Couldnt use the
> existing cef
> tables, cisco would need to write an advertised-table for each
> interface. Again this should be safe to use on almost any interface.
>
>
> Regards
> James
>
>
> On Mon, 25 Sep 2000, Tony Tauber wrote:
>
> > I was the one who asked for something like it and a friendly
> > developer coded it up nice and quickly.
>
>
