Re: [nsp] 12.0(14)S/new uRPF code

From: Tony Tauber (
Date: Fri Jan 05 2001 - 23:39:59 EST

On Fri, 5 Jan 2001, Jared Mauch wrote:

> I've had no problems with it doing a
> "ip verify unicast source reachable-via any" on any of my
> equipment running 14S.. except for GSR Engine2 linecards which
> do not support it (yet).

Haven't started dinking with the new features much but have one
complaint. From the enhancement notes:

++> Close ping DoS hole. There is a hole in the verification check to allow
++> the router to ping its own interface. This is a denial-of-service hole.
++> You must now specify allow-self-ping in the command to enable this hole.

This behavior breaks something people expect to be working.
I'd rather see the default behavior not change out from under people
but allow them to configure stricter security when they're ready and

Furthermore, from the doc:

++> Allow secondary address pings. There was a bug in the self-ping hole,
++> which prevented the router pinging a secondary address. This is fixed.
++> Note you must use the new allow-self-ping flag to make this work.


> It's useful to drop spoofed rfc1918 srces that may be part
> of a smurf or some other DoS in the core. It removes the martians
> from packet tracking.. now spoofed sources that are real ips become the
> whole new problem. We need more dialup/dsl anti-spoofing to happen,
> but that's not a subject for here.
> - Jared

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:24 EDT