[c-nsp] DNS amplification

"Rolf Hanßen" nsp at rhanssen.de
Wed May 8 10:06:23 EDT 2013


Hello,

I have 2 further questions but could not find any hints about it in the web.

R2(config-if)#ip verify unicast source reachable-via rx ?
...
  allow-self-ping  Allow router to ping itself (opens vulnerability in
verification)
  l2-src         Check packets arrive with correct L2 source address

What kind of vulnerability is that ? Just for my interest, I do not need
to ping myself usually. ;)

What exactly does "l2-src" check ?
>From the description I would guess it checks if there is an ARP entry for
the source IP of the incoming packet and compares it with the source MAC
from each packet incoming.
I tested and could send packets with changed source IPs without an entry
in the MAC table at all for that source IP and also with another MAC
(configured statically) in the arp table.

kind regards
Rolf Hanßen

> Hi,
>
> On Sun, Mar 17, 2013 at 05:46:21PM +0100, "Rolf Hanßen" wrote:
>> If that is not just a bad/wrong explanation or a joke, what sense makes
>> urpf if it cannot be enabled and configured for each interface
>> individually and as a consequence of this cannot be implemented without
>> possible service impact ?
>
> Each interface can be on/off individually just fine.  What does not work
> is have some interfaces in "strict mode" and other interfaces in "loose
> mode" on the same sup720 (EARL7) box (is this fixed in EARL8, btw?).
>
> So if all you have on the box is "customers" (strict mode) and "core"
> (no uRPF), you're fine.
>
> If all the box does is "core" (no uRPF) and "uplinks/peerings" (loose mode
> to be able to do S-RTBH), you're fine as well.
>
> Only if you have customers and uplink/peering interfaces on the same box,
> this gets problematic.
>
>> I am sure we are not the only ones that do not actvate it because it may
>> cause more problems than it will solve.
>> btw, if there is a way to enable it for single (vlan)interfaces (up to a
>> few hundred) without any effect for other interfaces, please let me
>> know.
>
> "just turn it on" :-)
>
> gert




More information about the cisco-nsp mailing list