[c-nsp] URPF MAC check

Saku Ytti saku at ytti.fi
Fri Nov 23 09:50:15 EST 2012


On (2012-11-23 15:29 +0100), Tóth András wrote:

> I don't see the benefit because L2 address is only visible until your
> next-hop, it does not validate the original sender which might be several
> hops away. Also, MAC addresses are easily spoofable.

Yes if SMAC is not trusted, then it's non-starter. But if it is, like in
residential product I'm describing, it is enforced in access device. And
this feature would be used in L3 aggregation.

There are many ways to nail SMAC, many DSLAMs and Switches support them.

> Additionally this would break HSRP which is certainly not common in IX
> environments, but in theory having the virtual MAC in your ARP table would
> cause legitimate traffic coming from the physical MAC being dropped.

Heck RPF used to break DHCP in JunOS. You'd need MAC ACL fail-filter to
make VRRP work.

-- 
  ++ytti


More information about the cisco-nsp mailing list