[68284] in North American Network Operators' Group
Re: Source address validation (was Re: UUNet Offer New Protection
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sun Mar 7 17:18:39 2004
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 07 Mar 2004 22:15:12 +0000
In-Reply-To: <Pine.GSO.4.58.0403071559110.8893@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
sean@donelan.com (Sean Donelan) writes:
> SAV doesn't tell you where the packets came from. At best SAV tells you
> where the packets didn't come from.
...which is incredibly more valuable than not knowing anything at all.
> You would be wrong. There are networks that have deployed SAV/uRPF.
>
> They saw no _net_ savings.
>
> In the real world, it costs more to deploy and maintain SAV/uRPF.
in the therefore-unreal world i live in, the ability to tell a GWF ("goober
with firewall") that the incident report they sent our noc could not possibly
have come from here, is a net cost savings over having to prove it every time.
> Have you noticed this thread is full of people who don't run large
> networks saying other people who do run networks should deploy SAV/uRPF.
distinguishingly, i do help run a network, and i'm not limiting my accusation
("you guys are slackers") to uPRF-free networks of any particular size ("big").
--
Paul Vixie
