North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
RE: CEF RPF check w/ACLs (was: Re: netscan.org update)
- From: Segal, Mark
- Date: Thu Sep 28 16:20:35 2000
What a novel idea.. :). That would put all my expect programmers out of
business though.. o well.
If there are any Cisco folks listening.. This just makes sense.
Mark
--
Mark Segal
Director, Network Engineering
Axxent Corp.
Tel: (416)907-2858
> -----Original Message-----
> From: James A. T. Rice [mailto:James_R-nanog@jump.org.uk]
> Sent: Thursday, September 28, 2000 9:49 AM
> To: nanog@merit.edu
> Subject: Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
>
>
>
> Wow, I wonder what cisco would do with my wish list:
>
>
> ip verify unicast reverse-exists
>
> i.e. only accept the packet on this interface if there is a
> route back to
> the source, *not necessarily on the same interface*..
> This should be safe to use on all interfaces and could use
> the existing
> CEF FIB, and might catch a lot of spoofed packets on a good day.
>
>
> ip verify unicast destination-advertised
>
> This would check the destination address on any packet coming into an
> interface, and drop it if a route to that destination WASNT
> advertised out
> of that interface - /ideal/ for NAPs & IX's. Couldnt use the
> existing cef
> tables, cisco would need to write an advertised-table for each
> interface. Again this should be safe to use on almost any interface.
>
>
> Regards
> James
>
>
> On Mon, 25 Sep 2000, Tony Tauber wrote:
>
> > I was the one who asked for something like it and a friendly
> > developer coded it up nice and quickly.
>
>
|
