----- Forwarded message -----
Date: Wed, 24 Jan 2001 17:17:41 +0000 (BST)
From: Neil Jarvis <njarvis@cisco.com>
To: lists <lists@lists.grot.org>
Subject: Re: [nsp] RPF question...
In-Reply-To: <20010124085529.A12770@mighty.grot.org>
On Wed, 24 Jan 2001, lists wrote:
> Hi Neil,
>
> Thanks for the reply, it helps greatly.
>
> > It depends on the destination address and the image version:
> ...
> > However, this behaviour was changed with the commit of CSCdr93424.
>
> I'm unable to look at that bug ID in bug view -- could you tell me what
> version/train it applies to and what the explicit enable command is?
The change is available in 12.0(14)S and later. Below is a precise of
the changes made. Note that the main change was a new mode of
operation to support RPF checking in asymmetric routing environments,
see
http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement_4.pdf
for details.
* New mode of operation - "exists-only"
In this mode, a source address need only be present in the FIB table,
be resolved and reachable via a "real" interface tobe verified. The
new command is
ip verify unicast source reachable-via any [allow-default]
The allow-default flag means allow the lookup to match the default
route and use it for verification. Note, this is today's behaviour,
so is implicit with the old command format (see below).
* Close ping DoS hole
There is a hole in the verification check to allow the router to ping
its own interface. This is a denial-of-service hole. You must now
specify allow-self-ping in the command to enable this hole.
* Allow secondary address pings
There was a bug in the self-ping hole, which prevented the router
pinging a secondary address. This is fixed. Note you must use the
new allow-self-ping flag to make this work.
* New command syntax
The old command still works. To enable the self-ping, use the new
flag:
ip verify unicast reverse-path [allow-self-ping] [<list>]
A new, extendable syntax is used to support the new modes of
operation. It is:
ip verify unicast source reachable-via (rx|any) [allow-default]
[allow-self-ping] [<list>]
>
> > If the destination address was not x.y.125.1, RPF will drop the
> > packets in all versions where RPF is supported.
>
> This is what I suspected and many thanks for confirming it.
>
> BTW, any reason why you did not reply to the cisco-nsp list? I suspect this
> will be of great interest to many on the list.
I am not subscribed to the list and was forwarded the query by a
colleague. Please feel free to forward my reply and these
clarifications to the list.
-Neil
----- End forwarded message -----
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:26 EDT