[c-nsp] benefit of uRFP with ACL over ACL on interface

[Pekka Savola]

On Wed, 8 Sep 2004, Florian Weimer wrote:
> > It all depends on what you want to achieve. uRPF when used in loose mode 
> > allows for remotely triggered drops/filters in a short timeframe, which 
> > is difficult to achieve with ACL.
> >
> > However, uRPF doesn't allow for filtering granularity (matching 
> > protocol/ports) like what xACL allows.
> 
> In addition, certain common ACL entries (such as anti-spoofing
> filters) don't fit very well into the general ACL structure and thus
> require quite a bit of TCAM space.  Using uRPF might reduce TCAM usage
> in such a case.  Of course, this is only relevant on very few
> platforms.  You often can't use uRPF in strict mode because it can't
> cope with the current BGP table size.

Why would one want to run uRPF in strict mode on an interface over 
which you get a full BGP feed?  Or is the implementation so flawed 
that it requires to conserve "double space" of all the routes on the 
system, even if they weren't used on that particular interface?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings