asymmetric routing
Ville
villearc@stealth.net
Mon, 28 Jan 2002 21:00:11 -0500 (EST)
Pim,
On Sun, 27 Jan 2002, Pim van Pelt wrote:
> (snip)
> What do the folk from Cisco think about these anti-spoof measures being set
> to enabled state per default (user overridable of course) ?
Well, not being from Cisco, strictly from an NSP point of view, I
would wonder the feasibleness of forcing such political decisions
with the means of hardware. ,) --
As I see it, it is not all about anti-spoof, a fair part of it
constitutes simply from plain host-based routing with basic
cheapest-path-wins. Uplinks and global BGP cannot know about any
such decisions taken.
Anyhow, FWIW-
Sample configurations are one thing, defaults are another.
Count the times people wanted all routing h/w to ignore ICMP
echo-requests by default for the sheer cause of ``ping -f''. Sum
that up with the amount of other similar suggestions during
previous years and the way how time does wear them off?
Sure, such defaults are ideal, but as they begin summing up, they
do make initial and fault-time debugging a nightmare. Similarly,
they may well result in unintended loss of CPU-time as seemingly
similar header-data is scanned at multiple hops, all inside one
organization or even at the same POP.
Thing considered valid at the border may not be considered wise
at the core - and vice versa.
After the smurf-era, I believe Unicast RPF (Reverse Path
Forwarding) was sufficiently discussed. For what I can see, the
discussed functionality does exist in the degree necessary and
and is easy to enable where desired. For any simple end-site,
it probably really is the preferred course of action.
interface/
# ip verify unicast reverse-path
[ie. verify any packet received on the interface for
source-validity by the means of checking availability
of existing path back to the source via the same IF.]
And yes, as an end-user, I probably do despise IP-spoofing in
a rather similar degree.
> Pim
Cheers,
--
Ville <viha@stealth.net> Network Security/IPv6 Solutions
Stealth Communications, Inc.