[nsp] RPF on Catalyst 6k
Pekka Savola
pekkas at netcore.fi
Thu Dec 26 20:20:32 EST 2002
On Thu, 26 Dec 2002, Florian Weimer wrote:
> "Rubens Kuhl Jr." <rkjnsp@ieg.com.br> writes:
>
> > Because of performance on a wire-speed device, all checkings must be done in
> > parallel. If the CEF table were stored at only one place, it would require 2
> > lookups to fetch the destination and verify RPF. As far as I know, it's an
> > identical copy.
>
> BTW, is it better to implement anti-spoofing filters using uRPF, or
> using regular ACLs (which end up in the TCAM for ACLs)? Which one is
> more robust during DoS attacks with randomly spoofed source addresses?
I guess this question depends a bit on *where* you want to place these
filters, right?
(Currently, we employ ACL's in both inbound-from-customer and
inbound-from-Internet -- but are planning to switch to uRPF for the
inbound-from-customer case.)
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the cisco-nsp
mailing list