North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
- From: James A. T. Rice
- Date: Thu Sep 28 09:53:16 2000
Wow, I wonder what cisco would do with my wish list:
ip verify unicast reverse-exists
i.e. only accept the packet on this interface if there is a route back to
the source, *not necessarily on the same interface*..
This should be safe to use on all interfaces and could use the existing
CEF FIB, and might catch a lot of spoofed packets on a good day.
ip verify unicast destination-advertised
This would check the destination address on any packet coming into an
interface, and drop it if a route to that destination WASNT advertised out
of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef
tables, cisco would need to write an advertised-table for each
interface. Again this should be safe to use on almost any interface.
Regards
James
On Mon, 25 Sep 2000, Tony Tauber wrote:
> I was the one who asked for something like it and a friendly
> developer coded it up nice and quickly.
|
