[52664] in North American Network Operators' Group
Re: Who does source address validation? (was Re: what's that smell?)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Oct 8 11:28:13 2002
Date: Tue, 8 Oct 2002 11:26:42 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Sean Donelan <sean@donelan.com>
Cc: Joe Abley <jabley@isc.org>,
"Kelly J. Cooper" <kcooper@genuity.net>, nanog@merit.edu
In-Reply-To: <Pine.GSO.4.40.0210081056310.12533-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
> If there is a magic solution, I would love to hear about it.
to drop the rfc1918 space, there is a close to magic
solution.
install this on all your internal, upstream, downstream
interfaces (cisco router) [cef required]:
"ip verify unicast source reachable-via any"
This will drop all packets on the interface that do not
have a way to return them in your routing table.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
Juniper has a somewhat viable solution to the 100% source
validation for bgp customers. they will consider non-best
paths in their unicast-rpf check on the customer interface. This
means that even if 35.0.0.0/8 is best returned via your
peer instead of via the provider the packet came in, but they
are advertizing the prefix to you, you will not drop the packet.
> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.
Uh, this is because it costs another 1/2 a cent a minute (or more)
to provision a caller-id capable trunk (long distance) and people just
don't want to pay the extra money and it's cheaper to not identify
oneself. (This is why most telemarketers don't generate caller-id
or if they can, they supress it).
- jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
