Are you sure it isn't any gateway with a DA-based forwarding model
you're both talking about?
In all seriousness, per-packet validation of source IP is a costly
operation for a _slowpath_ router.
Making this behavior optional can be very desirable in circumstances,
especially where doing so would mitigate the 50% penalty that
double-inspection could create.
I would suspect that most 'operators prefer to maintain and support
systems that run no more performance or stability affecting features
(branches, segments, routines) than they are explicitly required (or
configured) to, even at the expense of some compliance.
Regards,
Andrew Bender
Total Network Solutions, Inc.
On Thu, 6 Jan 2000, Tim Wolfe wrote:
> Date: Thu, 6 Jan 2000 12:34:04 -0800 (PST)
> From: Tim Wolfe <tim@clipper.net>
> To: Sean Butler <sbutler1@tampabay.rr.com>
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] Forwarding packets with source address of 127.x
> Resent-Date: Thu, 6 Jan 2000 15:43:23 -0500
> Resent-From: cisco-nsp@puck.nether.net
>
> On Thu, 6 Jan 2000, Sean Butler wrote:
>
> > According to RFC 1812, section 5.3.7, a router should not forward packets
> > with a source address in 127.x.y.z... However, several DOS style attacks
> > seem
> > to show this happening.
> >
> > Has Cisco in the past said they would not follow the RFC here, or is it a
> > bug?
>
> Are you sure it isn't one of those pieces of cra^H^HBa^H^HNortel Networks
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT