North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Who does source address validation? (was Re: what's that smell?)
- From: Jared Mauch
- Date: Tue Oct 08 11:29:40 2002
On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
> If there is a magic solution, I would love to hear about it.
to drop the rfc1918 space, there is a close to magic
install this on all your internal, upstream, downstream
interfaces (cisco router) [cef required]:
"ip verify unicast source reachable-via any"
This will drop all packets on the interface that do not
have a way to return them in your routing table.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
Juniper has a somewhat viable solution to the 100% source
validation for bgp customers. they will consider non-best
paths in their unicast-rpf check on the customer interface. This
means that even if 18.104.22.168/8 is best returned via your
peer instead of via the provider the packet came in, but they
are advertizing the prefix to you, you will not drop the packet.
> Heck, the phone network still has trouble getting the correct Caller-ID
Uh, this is because it costs another 1/2 a cent a minute (or more)
to provision a caller-id capable trunk (long distance) and people just
don't want to pay the extra money and it's cheaper to not identify
oneself. (This is why most telemarketers don't generate caller-id
or if they can, they supress it).
Jared Mauch | pgp key available via finger from email@example.com
clue++; | http://puck.nether.net/~jared/ My statements are only mine.