[c-nsp] URPF MAC check

Christian Meutes christian at errxtx.net
Fri Nov 23 13:59:27 EST 2012


This feature makes sense, but you would need peers understanding your filtering policy. Further, fib support for this would only makes sense if cisco would also implement uRPF for feasible routes like in junos.

--
   Christian

On 23.11.2012, at 16:15, Aled Morris <aledm at qix.co.uk> wrote:

> On 23 November 2012 15:01, Aivars <aivars at ml.lv> wrote:
> 
>> If we are talking about IX environment, they usually protect
>> themselves from "wrong" traffic. At least in EU. Traffic is only
>> accepted on a port if it comes from a fixed MAC/IP. I would not worry
>> much about that.
>> 
>> If it is something else or you would like to make your own IX. would
>> be nice to know more info.
> The use-case I was imagining was an IX.  For any given peer, I know which
> source addresses I can expect from them because they are advertised to me
> via BGP for the return path.  The problem is I can't URPF these because the
> same source addresses could arrive from another peer on the same IX port
> having been spoofed in their network.  Validating the SMAC along with the
> URPF would give me this assurance.
> 
> Aled
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list