[c-nsp] uRPF Core Internet Routers
Lee
ler762 at gmail.com
Tue Apr 16 22:37:29 EDT 2013
On 4/16/13, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Apr 17, 2013, at 8:42 AM, Lee wrote:
>
>> But the IPv4 address space is close to all allocated, so enabling it for
>> IPv4 doesn't seem like a huge win.
>
> This is incorrect, and is actually harmful misinformation.
>
> The value of antispoofing has nothing to do with allocated address space
> percentages. It has everything to do with removing the ability to launch
> high-volume reflection/amplification DDoS attacks, spoofed SYN-floods, et.
> al.
The topic was about enabling loose uRPF. Quoting from
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html
again
Loose mode Unicast RPF: Loose mode searches for the source address of
a packet in the FIB table. If the address exists and matches a real
and valid forwarding entry (not necessarily pointing to the ingress
interface on which the packet was received), then the packet is
further processed, otherwise it is dropped.
Seems to me that the utility of filtering just packets supposedly
coming from unannounced IPv4 address space is not all that useful in
> ... removing the ability to launch
> high-volume reflection/amplification DDoS attacks, spoofed SYN-floods, et.
> al.
If someone is going to spoof traffic, it's no harder for them to spoof
traffic from advertised than non-advertised space.
Lee
More information about the cisco-nsp
mailing list