Re: [nsp] ip verify unicast reverse-path

From: Jeff Harrington (jharring@appliedtheory.com)
Date: Wed Jun 06 2001 - 16:57:05 EDT


At 10:28 PM 6/6/01 +0200, Gert Doering wrote:
>Hi,
>
>On Wed, Jun 06, 2001 at 12:08:46PM -0700, Danny Sutantyo wrote:
>> Has anybody used command called "ip verify unicast reverse-path" for
>> anti-spoofing in Cisco IOS Router features?
>
>Yes!
>
>> How do you implement this? and what's the side effect?
>
>I use this on all our single-homed customer lines (static routes pointing
>to them), and it's great. Best thing since "clear ip b soft in" :)
>
>It has no adverse side effects, and it stops your customers from spoofing
>foreign IP addresses without the need for you to maintain access lists.

I've run into one side effect of not being able to ping through a loop on a
circuit with the command enabled. Took the command off and was able to
ping. That doesn't affect normal operations, but it can throw a NOC for a
loop (no pun intended).

>It should be mandatory for all ISPs out there - will stop most DoS attacks
>with forged source IPs cold in the water.
>

Jeff Harrington
Network Engineer
AppliedTheory Corporation



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:40 EDT