[c-nsp] DNS amplification

Gert Doering gert at greenie.muc.de
Sun Mar 17 13:21:25 EDT 2013


Hi,

On Sun, Mar 17, 2013 at 05:46:21PM +0100, "Rolf Hanßen" wrote:
> If that is not just a bad/wrong explanation or a joke, what sense makes
> urpf if it cannot be enabled and configured for each interface
> individually and as a consequence of this cannot be implemented without
> possible service impact ?

Each interface can be on/off individually just fine.  What does not work
is have some interfaces in "strict mode" and other interfaces in "loose
mode" on the same sup720 (EARL7) box (is this fixed in EARL8, btw?).

So if all you have on the box is "customers" (strict mode) and "core"
(no uRPF), you're fine.

If all the box does is "core" (no uRPF) and "uplinks/peerings" (loose mode
to be able to do S-RTBH), you're fine as well.

Only if you have customers and uplink/peering interfaces on the same box,
this gets problematic.

> I am sure we are not the only ones that do not actvate it because it may
> cause more problems than it will solve.
> btw, if there is a way to enable it for single (vlan)interfaces (up to a
> few hundred) without any effect for other interfaces, please let me know.

"just turn it on" :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20130317/c7685731/attachment.sig>


More information about the cisco-nsp mailing list