[68251] in North American Network Operators' Group
Re: Source address validation (was Re: UUNet Offer New Protection
daemon@ATHENA.MIT.EDU (Sean Donelan)
Sat Mar 6 22:42:42 2004
Date: Sat, 6 Mar 2004 22:42:06 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Dan Hollis <goemon@anime.net>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0403061851240.15301-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 6 Mar 2004, Dan Hollis wrote:
> sadly the prevailing thought seems to be 'we cant block every exploit so
> we will block none'. this (and others) are used as an excuse to not deploy
> urpf on edge interfaces facing singlehomed customers.
This is one of the few locations SAV/uRPF consistently works. SAV/uRPF is
widely (but not 100%) deployed int those location. However I think you
are mis-stating the issue. I do not know of anyone that has stated your
reason as the reason not to deploy SAV/uRPF on non-routing interfaces.
The issue which prompt this thread was deploying uRPF on multi-path
backbone interfaces using active routing.
How many exploits does uRPF block?
Biometric smart cards may do wonders for credit card fraud. Why don't
credit card companies replace all existing cards with them?
Does uRPF solve more problems than it causes, and saves more than it
costs?
