[c-nsp] URPF MAC check
Aled Morris
aledm at qix.co.uk
Fri Nov 23 10:15:04 EST 2012
On 23 November 2012 15:01, Aivars <aivars at ml.lv> wrote:
> If we are talking about IX environment, they usually protect
> themselves from "wrong" traffic. At least in EU. Traffic is only
> accepted on a port if it comes from a fixed MAC/IP. I would not worry
> much about that.
>
> If it is something else or you would like to make your own IX. would
> be nice to know more info.
>
>
The use-case I was imagining was an IX. For any given peer, I know which
source addresses I can expect from them because they are advertised to me
via BGP for the return path. The problem is I can't URPF these because the
same source addresses could arrive from another peer on the same IX port
having been spoofed in their network. Validating the SMAC along with the
URPF would give me this assurance.
Aled
More information about the cisco-nsp
mailing list