[c-nsp] URPF MAC check
Dobbins, Roland
rdobbins at arbor.net
Fri Nov 23 06:06:11 EST 2012
On Nov 23, 2012, at 5:49 PM, Aled Morris wrote:
> It would be handy if URPF could use both the L3 FIB (as it does now) and the L2 ARP table to validate source addressess
I guess I don't understand what you mean by this . . .
Regarding some combination of layer-2 and layer-3, how would your box have prior knowledge of what path(s) packets are going to take through the Internet to reach the given interface on your box?
If we want to filter layer-2 MAC addresses, you can do that on various platforms/linecards/interfaces. But since in an IX scenario the adjacent layer-2 interface will be that of an IX fabric switchport, how would that help?
uRPF doesn't have any knowledge of anything beyond *your box's* FIB/adjacency table. It doesn't know anything about other boxes. If we receive a packet on a given layer-3 interface, ipso facto we received the frame(s) encapsulating the packet on that interface - so, what problem is it that we're trying to solve?
There are layer-2 anti-spoofing mechanisms such as IP Source Guard, but they're intended for use in an access LAN context where there are hosts connected to network infrastructure within your span of administrative control. They don't apply to layer-3 interconnection scenarios.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list