Re: [nsp] RPF question...(followup 2 by cisco)

From: lists (lists@lists.grot.org)
Date: Wed Jan 24 2001 - 13:06:21 EST


----- Forwarded message -----

Date: Wed, 24 Jan 2001 17:17:41 +0000 (BST)
From: Neil Jarvis <njarvis@cisco.com>
To: lists <lists@lists.grot.org>
Subject: Re: [nsp] RPF question...
In-Reply-To: <20010124085529.A12770@mighty.grot.org>

On Wed, 24 Jan 2001, lists wrote:

> Hi Neil,
>
> Thanks for the reply, it helps greatly.
>
> > It depends on the destination address and the image version:
> ...
> > However, this behaviour was changed with the commit of CSCdr93424.
>
> I'm unable to look at that bug ID in bug view -- could you tell me what
> version/train it applies to and what the explicit enable command is?

The change is available in 12.0(14)S and later. Below is a precise of
the changes made. Note that the main change was a new mode of
operation to support RPF checking in asymmetric routing environments,
see

  http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement_4.pdf

for details.

 * New mode of operation - "exists-only"

 In this mode, a source address need only be present in the FIB table,
 be resolved and reachable via a "real" interface tobe verified. The
 new command is

    ip verify unicast source reachable-via any [allow-default]

 The allow-default flag means allow the lookup to match the default
 route and use it for verification. Note, this is today's behaviour,
 so is implicit with the old command format (see below).

 * Close ping DoS hole

 There is a hole in the verification check to allow the router to ping
 its own interface. This is a denial-of-service hole. You must now
 specify allow-self-ping in the command to enable this hole.

 * Allow secondary address pings

 There was a bug in the self-ping hole, which prevented the router
 pinging a secondary address. This is fixed. Note you must use the
 new allow-self-ping flag to make this work.

 * New command syntax

 The old command still works. To enable the self-ping, use the new
 flag:

    ip verify unicast reverse-path [allow-self-ping] [<list>]

 A new, extendable syntax is used to support the new modes of
 operation. It is:

    ip verify unicast source reachable-via (rx|any) [allow-default]
                             [allow-self-ping] [<list>]

>
> > If the destination address was not x.y.125.1, RPF will drop the
> > packets in all versions where RPF is supported.
>
> This is what I suspected and many thanks for confirming it.
>
> BTW, any reason why you did not reply to the cisco-nsp list? I suspect this
> will be of great interest to many on the list.

I am not subscribed to the list and was forwarded the query by a
colleague. Please feel free to forward my reply and these
clarifications to the list.

-Neil

----- End forwarded message -----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:26 EDT