[53087] in North American Network Operators' Group
Re: no ip forged-source-address
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Oct 30 14:09:20 2002
Date: Wed, 30 Oct 2002 14:08:26 -0500
From: Jared Mauch <jared@puck.Nether.net>
To: Lars Erik Gullerud <lerik@nolink.net>
Cc: variable@ednet.co.uk, nanog@nanog.org
In-Reply-To: <1036004533.38724.16409.camel@sabre.ncc.catchcom.no>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Oct 30, 2002 at 08:02:13PM +0100, Lars Erik Gullerud wrote:
>
> On Wed, 2002-10-30 at 16:44, variable@ednet.co.uk wrote:
>
> > Therefore, would it be a reasonable suggestion to ask router vendors to
> > source address filtering in as an option[1] on the interface and then move
> > it to being the default setting[2] after a period of time? This appeared
> > to have some success with reducing the number of networks that forwarded
> > broadcast packets (as with "no ip directed-broadcast").
> [snip]
>
> > [1] For example, an IOS config might be:
> >
> > interface fastethernet 1/0
> > no ip forged-source-address
>
> Well, this already exists, doesn't it? Try the following on your
> customer-facing interface:
>
> ip verify unicast source reachable-via rx
>
> > [2] Network admins would still have the option of turning it off, but this
> > would have to be explicitly configured.
>
> I have a feeling that having strict uRPF as the default setting on an
> interface would be very badly received by a lot of ISP's. I know I
> certainly wouldn't like it very much.
>
> Is it really the job of router vendors to protect the net from
> lazy/incompetent/ignorant network admins?
No, but I can't enable these features on all
my router interfaces without causing delays/drops due to poor
inital design quality and lack of long-term vision for linecards
manufactured.
The rush for time-to-market can cause you to lose in
the long-term due to lack of features.
- jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
