[61808] in North American Network Operators' Group
Re: What were we saying about edge filtering?
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Sep 5 04:29:24 2003
Date: Fri, 5 Sep 2003 10:28:44 +0200
Cc: nanog@merit.edu
To: Owen DeLong <owen@delong.com>
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <2147483647.1062669065@imac-en0.delong.sj.ca.us>
Errors-To: owner-nanog-outgoing@merit.edu
On donderdag, sep 4, 2003, at 18:51 Europe/Amsterdam, Owen DeLong wrote:
> Source address-based filtering in the backbone is expensive and, in
> many
> cases, non-feasible.
And, of course, unnecessary. Everything in the core must have gotten
there over a border towards some external network or an edge towards a
customer (counting own servers and stuff as "customer" too) so if
filtering is done there, no need to repeat it in the core.
BTW, from what I can tell on a pretty old/slow Cisco box, uRPF makes
packet forwarding take about 10% more CPU, which is the same as a short
standard access list (which can only look at source addresses). A short
extended access list takes around 20% more CPU.
