[c-nsp] URPF MAC check

Saku Ytti saku at ytti.fi
Fri Nov 23 10:24:47 EST 2012


On (2012-11-23 15:15 +0000), Aled Morris wrote:

> The use-case I was imagining was an IX.  For any given peer, I know which
> source addresses I can expect from them because they are advertised to me
> via BGP for the return path.  The problem is I can't URPF these because the
> same source addresses could arrive from another peer on the same IX port
> having been spoofed in their network.  Validating the SMAC along with the
> URPF would give me this assurance.

Even regular uRPF/strict usage case isn't IX, it's not going to work. With
active paths brokage is obvious, with feasible paths it's less obvious.

It's normal to receive traffic in Internet from source which is not
advertised at that source.

But the feature itself I can see usage scenarios, not just there.
-- 
  ++ytti


More information about the cisco-nsp mailing list