[93108] in North American Network Operators' Group
Re: 10,352 active botnets (was Re: register.com down sev0?
daemon@ATHENA.MIT.EDU (Jack Bates)
Thu Oct 26 18:07:14 2006
Date: Thu, 26 Oct 2006 16:38:49 -0500
From: Jack Bates <jbates@brightok.net>
To: Matthew Crocker <matthew@crocker.com>
Cc: nanog@merit.edu
In-Reply-To: <E7C4ABF3-1476-493C-ABD4-3F40C7609FE5@crocker.com>
Errors-To: owner-nanog@merit.edu
Matthew Crocker wrote:
>
>> Maybe the new slogan needs to be "Save the Internet! Train the chimps!"
>
> Shouldnt 'ip verify unicast source reachable-by rx' be a default
> setting on all interfaces? Only to be removed by trained chimps?
>
Only if you wish to break existing configurations during IOS upgrades. I could
see ip verify unicast source reachable-by any (less breakage), but rx will kill
all types of good asymmetric routing. The largest breakage I have seen caused by
rx is the link IP breakage caused by the router responding out multiple
interfaces. It's also a problem when customers are straddling the fence,
purposefully using asymmetric routing.
It would be nicer to have router support where a packet is acceptable if it's
network is acceptable in the BGP (or IGP) policy/filter (ie, network may not be
there, but it is allowed) as well as the link addresses associated with the BGP
(or IGP) peer.
-Jack
