Re: [nsp] ip verify unicast reverse-path

From: R.P. Aditya (lists@lists.grot.org)
Date: Wed Jun 06 2001 - 16:47:12 EDT


On Wed, Jun 06, 2001 at 10:28:41PM +0200, Gert Doering wrote:
> > How do you implement this? and what's the side effect?
...
> It has no adverse side effects, and it stops your customers from spoofing
> foreign IP addresses without the need for you to maintain access lists.

As long as you only put it right at the edge, it doesn't have any adverse
side-effects unless your customer is multihomed. There has been a bit of
discussion on the adverse effects of indiscriminate usage of RPF on both NANOG
and cisco-nsp.

You might find the Cisco document referenced in:

  http://puck.nether.net/lists/cisco-nsp/3527.html

useful in the more general case. It has an updated URL of:

  http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf

For a historical oops:

  http://www.cctec.com/maillists/nanog/historical/9903/msg00124.html
  http://www.cctec.com/maillists/nanog/historical/9903/msg00125.html

Adi



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:40 EDT