[c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself

Saku Ytti saku at ytti.fi
Fri Jul 30 02:22:03 EDT 2010


On (2010-07-29 23:07 +0200), bas wrote:
 
> ACL's for customers is too much work, tedious and prone to mistakes.

It can be. In ideal world routers are only touched when testing new
products or troubleshooting software defects. Master configuration should
live in customer database out of which configuration is generated for live
network and periodically live network is imported back if configuration is
within policy and acceptable or reverted/marked unmanaged if not.
If you live in this ideal world of subset of it, you could just generate
the ACL. But of course very few have anything like this (SP's rarely
understand that computers are cheaper than we are, maybe it is a blessing)

> Seeing IPv4 depletion is almost here loose mode on upstream does not
> make sense any more.
> So I guess we'll move away from that.

Biggest benefit of loose is ability to do source based blackholing, i.e.
you make 'ip route 192.0.2.42 255.255.255.255 null0 tag xyzzy' in one
router and magically 192.0.2.42 sending you packets get dropped on your
every peering cisco having uRPF/loose configured.

Just FYI up-to EARL7.5 6500/7600 does not support any uRPF for IPv6 and
with ACLs you either ACL up-to /128 and no L4 lookups or you ACL up-to /88
with L4 lookups. Default is no L4 lookups in ACL at all, which to me is
unacceptable. So unless you are going to replace the routers before
deploying IPv6, I guess it will be worth your time to develop system for
ACL generation.

Also thank you for being part of the community and stopping your customers
from spoofing.

-- 
  ++ytti


More information about the cisco-nsp mailing list