Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco - ip verify unicast reverse-path

  • From: Paul Ferguson
  • Date: Sat Feb 12 18:39:36 2000

Tony,

At 02:54 PM 02/12/2000 -0800, trall@almaden.ibm.com wrote:

>This command has been mentioned numerous times during the DDoS discussion.
>I, for one, don't have a good idea of how it works.  Perhaps someone can
>enlighten us?

The "ip verify unicast reverse-path" interface command (also known
as Unicast RPF, or Reverse-Path Forwarding check) requires CEF to
be in used in order to use this feature. This is because CEF separates
the RIB and FIB, and the FIB check is used that ensure that packets
received on an interface with this feature enabled are not forwarded
unless a valid path on the same interface exists back to the originating
source.

See also:

"Essential IOS" - Features Every ISP Should Consider
http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

and

Craig Huegen's very useful web page on minimizing the effects
of DoS attacks:
http://users.quadrunner.com/chuegen/smurf.cgi


>Another issue is why has Cisco made this such a stealth feature? 

It's not a stealth feature -- it's just not well documented yet.
It was only introduced in 11.1(17)CC release image, which is a
specialized service provider code base.

We are working to get it documented in the traditional ways as
it gets integrated into mainline code releases.

- paul






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.