[53086] in North American Network Operators' Group
Re: no ip forged-source-address
daemon@ATHENA.MIT.EDU (Lars Erik Gullerud)
Wed Oct 30 14:03:51 2002
From: Lars Erik Gullerud <lerik@nolink.net>
To: variable@ednet.co.uk
Cc: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.44.0210301543550.15565-100000@pachabel.ednet.co.uk>
Date: 30 Oct 2002 20:02:13 +0100
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 2002-10-30 at 16:44, variable@ednet.co.uk wrote:
> Therefore, would it be a reasonable suggestion to ask router vendors to
> source address filtering in as an option[1] on the interface and then move
> it to being the default setting[2] after a period of time? This appeared
> to have some success with reducing the number of networks that forwarded
> broadcast packets (as with "no ip directed-broadcast").
[snip]
> [1] For example, an IOS config might be:
>
> interface fastethernet 1/0
> no ip forged-source-address
Well, this already exists, doesn't it? Try the following on your
customer-facing interface:
ip verify unicast source reachable-via rx
> [2] Network admins would still have the option of turning it off, but this
> would have to be explicitly configured.
I have a feeling that having strict uRPF as the default setting on an
interface would be very badly received by a lot of ISP's. I know I
certainly wouldn't like it very much.
Is it really the job of router vendors to protect the net from
lazy/incompetent/ignorant network admins?
/leg
