<div dir="ltr">Well, it really depends on who you are and what you're trying to do. If you're a small network with only a single LAN attached, then that setting can be useful. In any other scenario, you don't want to use it at all. <div>
<br></div><div>Here's the "problem" with BCP 38, it doesn't protect you from anything, it protects everyone else, from you and your users. This is why it's not more widely implemented.</div><div><br>
</div><div>If you want to prevent spoofing out of your network, just create a "out" firewall rule on the external interfaces of your network and allow only packets sourced from your IP ranges to exit.</div><div>
<br></div><div>Or, put input firewall rules on your internal interfaces (customer/user facing) allowing only those IPs that should be there that enter. This is obviously better in that it protects other parts of your network from your network, but is harder to maintain as you'll have firewall lists on each interface.</div>
<div><br></div><div>I would also filter all inbound traffic and make sure that packets with your source IPs aren't allowed into the network.</div><div><br></div><div>However, all of that doesn't protect you from someone spoofing your addresses from remote networks and you getting flooded. </div>
<div><br></div><div>If you want to share a few more details about what kind of network you're running I can probably give some more on-point advice. </div><div><br></div><div>m.</div><div><br></div><div><br></div></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 17, 2014 at 2:53 AM, Jared Geiger <span dir="ltr"><<a href="mailto:jared@compuwizz.net" target="_blank">jared@compuwizz.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><font face="arial, helvetica, sans-serif">So with all the latest NTP and DNS spoofing issues, is there a way to enable BCP38 or Unicast Reverse Path verification on Vyatta that won't kill throughput?</font><div>
<font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">I saw a tip to do this command on startup: <span style="line-height:15px">echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter</span></font></div>
<div><span style="line-height:15px"><font face="arial, helvetica, sans-serif"><br></font></span></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="line-height:15px">Does anyone have any real world experience using this command?</span></font></div>
<div><font color="#000000" face="arial, helvetica, sans-serif"><span style="line-height:15px"><br></span></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><span style="line-height:15px">Thanks,</span></font></div>
<div><font color="#000000" face="arial, helvetica, sans-serif"><span style="line-height:15px">Jared</span></font></div></div>
<br>_______________________________________________<br>
vyatta-nsp mailing list<br>
<a href="mailto:vyatta-nsp@puck.nether.net">vyatta-nsp@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/vyatta-nsp" target="_blank">https://puck.nether.net/mailman/listinfo/vyatta-nsp</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Marc Runkel<div>VP, Technical Operations</div><div>Untangle, Inc.</div><div>(w) 408-598-4279</div>
</div>