asymmetric routing

Ville villearc@stealth.net
Mon, 28 Jan 2002 21:00:11 -0500 (EST)


Pim,

On Sun, 27 Jan 2002, Pim van Pelt wrote:

> (snip)

> What do the folk from Cisco think about these anti-spoof measures being set
> to enabled state per default (user overridable of course) ?

	Well, not being from Cisco, strictly from an NSP point of view, I
	would wonder the feasibleness of forcing such political decisions
	with the means of hardware. ,)  --

	As I see it, it is not all about anti-spoof, a fair part of it
	constitutes simply from plain host-based routing with basic
	cheapest-path-wins. Uplinks and global BGP cannot know about any
	such decisions taken.

	Anyhow, FWIW-

	Sample configurations are one thing, defaults are another.

	Count the times people wanted all routing h/w to ignore ICMP
	echo-requests by default for the sheer cause of ``ping -f''. Sum
	that up with the amount of other similar suggestions during
	previous years and the way how time does wear them off?

	Sure, such defaults are ideal, but as they begin summing up, they
	do make initial and fault-time debugging a nightmare. Similarly,
	they may well result in unintended loss of CPU-time as seemingly
	similar header-data is scanned at multiple hops, all inside one
	organization or even at the same POP.

	Thing considered valid at the border may not be considered wise
	at the core - and vice versa.

	After the smurf-era, I believe Unicast RPF (Reverse Path
	Forwarding) was sufficiently discussed. For what I can see, the
	discussed functionality does exist in the degree necessary and
	and is easy to enable where desired. For any simple end-site,
	it probably really is the preferred course of action.

		interface/
		# ip verify unicast reverse-path

		[ie.  verify any packet received on the interface for
		source-validity by the means of checking availability
		of existing path back to the source via the same IF.]


	And yes, as an end-user, I probably do despise IP-spoofing in
	a rather similar degree.


> Pim

Cheers,
-- 
	Ville <viha@stealth.net>  Network Security/IPv6 Solutions
				  Stealth Communications, Inc.