[93125] in North American Network Operators' Group
different flavours of uRPF [RE: register.com down sev0?]
daemon@ATHENA.MIT.EDU (Pekka Savola)
Fri Oct 27 02:51:48 2006
Date: Fri, 27 Oct 2006 09:50:09 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: tony.li@tony.li
Cc: "'Daniel Senie'" <dts@senie.com>, nanog@merit.edu
In-Reply-To: <000701c6f992$7b2aecf0$4e05a8c0@tropos.com>
Errors-To: owner-nanog@merit.edu
On Thu, 26 Oct 2006, Tony Li wrote:
> > It was possible to implement BCP38 before the router vendors
> > came up with uRPF.
>
> Further, uRPF is frequently a very inefficient means of implementing BCP
> 38. Consider that you're going to either compare the source address
> against a table of 200,000 routes or against a handful of prefixes that
> you've statically configured in an ACL.
Isn't that only a problem if you want to run a loose mode uRPF?
Given that loose mode uRPF isn't very useful in most places where
you'd like to do ingress filtering, this doesn't seem like a big
issue..
BTW, I still keep wondering why Cisco hasn't implemented something
like Juniper's feasible-path strict uRPF. Works quite well with
multihomed and asymmetric routing as well -- no need to fiddle with
communities, BGP weights etc. to ensure symmetry.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
