[53166] in North American Network Operators' Group
Re: no ip forged-source-address
daemon@ATHENA.MIT.EDU (bdragon@gweep.net)
Mon Nov 4 16:21:51 2002
To: jesper@skriver.dk (Jesper Skriver)
Date: Mon, 4 Nov 2002 16:21:17 -0500 (EST)
Cc: nanog@nanog.org
In-Reply-To: <20021030161752.GB97248@skriver.dk> from "Jesper Skriver" at Oct 30, 2002 05:17:52 PM
From: <bdragon@gweep.net>
Errors-To: owner-nanog-outgoing@merit.edu
> On Wed, Oct 30, 2002 at 03:44:12PM +0000, variable@ednet.co.uk wrote:
>
> > Therefore, would it be a reasonable suggestion to ask router vendors to
> > source address filtering in as an option[1] on the interface and then move
> > it to being the default setting[2] after a period of time?
>
> Cannot be done, I certainly doesn't want RPF check to be default enabled
> on all interfaces on my routers, think for a second about asymmetric
> routing WITHIN the ISP network.
>
> /Jesper
in cisco parlance,
ip verify unicast source reachable-via any allow-default allow-self-ping
would be fine in the core, and as a default setting.
Would still need to enable strict settings on applicable borders,
which would probably be skipped by the clue impaired, but
some of the crap would be caught, which is better than none.
