[c-nsp] URPF MAC check
Aled Morris
aledm at qix.co.uk
Fri Nov 23 05:49:47 EST 2012
Something I've been thinking about...
I'd like to validate the source address on packets received from peers.
Strict URPF is great when you have point-to-point links but it isn't quite
as useful when you have a shared fabric like an Internet exchange. The
problem is all sources on the same interface will be considered valid if
any of them is a return path for the packet.
It would be handy if URPF could use both the L3 FIB (as it does now) and
the L2 ARP table to validate source addressess
What I'd like is: if I receive a packet from neighbor X, not only must
there be a L3 return route via X, but the packet must have actually been
received from X's MAC addresss on that interface.
For a loose URPF there could be a middle way - the L2 check would only be
done when the return path is indicated on the received interface, so a
packet who's return path is via X would only get the L2 check if it is
received on an interface where X is seen.
Does this feature already exist on popular platforms? Is it something I've
missed?
Aled
More information about the cisco-nsp
mailing list