[nsp] RPF on Catalyst 6k
Florian Weimer
Weimer at CERT.Uni-Stuttgart.DE
Thu Dec 26 19:32:57 EST 2002
Pekka Savola <pekkas@netcore.fi> writes:
>> BTW, is it better to implement anti-spoofing filters using uRPF, or
>> using regular ACLs (which end up in the TCAM for ACLs)? Which one is
>> more robust during DoS attacks with randomly spoofed source addresses?
>
> I guess this question depends a bit on *where* you want to place these
> filters, right?
Oh, yes, indeed. :-)
In our case, we filter to prevent packets carrying one of "our" IP
addresses from entering our local network. We suffer from slight
fragmentation of our address space, so the appropriate "deny" entries
would occupy quite a bit of TCAM (in which the inbound ACL facing the
Internet already occupies a sizable chunk).
I whish we were already approaching the edge in terms of spoof
protection, but there's still a *very* long way to go. (I'm already
happy if there's a L3 device at the edge. Typical university network
problem, I guess.)
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
More information about the cisco-nsp
mailing list