North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Who does source address validation? (was Re: what's that smell?)
> install this on all your internal, upstream, downstream > interfaces (cisco router) [cef required]: > > "ip verify unicast source reachable-via any" > > This will drop all packets on the interface that do not > have a way to return them in your routing table. Of course, this is the IP RIB and may not include all the potential paths in the BGP Adj-RIBs-In, right? As such, you've still got the potential for asymmetric routing to break things. > Juniper has a somewhat viable solution to the 100% source > validation for bgp customers. they will consider non-best > paths in their unicast-rpf check on the customer interface. This > means that even if 35.0.0.0/8 is best returned via your > peer instead of via the provider the packet came in, but they > are advertizing the prefix to you, you will not drop the packet. What's a "bgp customer"? Can they support 500K+ uRPF entries here? -danny
|