Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Who does source address validation? (was Re: what's that smell?)

  • From: Jared Mauch
  • Date: Tue Oct 08 11:29:40 2002

On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
> If there is a magic solution, I would love to hear about it.

	to drop the rfc1918 space, there is a close to magic
solution.

	install this on all your internal, upstream, downstream
interfaces (cisco router) [cef required]:

"ip verify unicast source reachable-via any"

	This will drop all packets on the interface that do not
have a way to return them in your routing table.

> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.

	Juniper has a somewhat viable solution to the 100% source
validation for bgp customers.  they will consider non-best
paths in their unicast-rpf check on the customer interface.  This
means that even if 35.0.0.0/8 is best returned via your
peer instead of via the provider the packet came in, but they
are advertizing the prefix to you, you will not drop the packet.

> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.

	Uh, this is because it costs another 1/2 a cent a minute (or more)
to provision a caller-id capable trunk (long distance) and people just
don't want to pay the extra money and it's cheaper to not identify
oneself.  (This is why most telemarketers don't generate caller-id
or if they can, they supress it).

	- jared
-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.