|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN spoofing
On Wed, Jul 28, 1999 at 11:54:03AM -0400, bryan s. blank wrote: > > % ip verify unicast reverse-path > % > % and according to Paul Ferguson (co-author of RFC 2267) it's in use by > % many ISPs. Apparently this is very-low overhead. Paul has also indicated > % the use of extended access lists on Cisco routers is very low overhead, > % especially on routers using distributed express forwarding. > > while i hate to question mr. ferguson, it's my understanding > that many isps have found this feature to be unusable due to > network design. You can't use this in the core, but you can use it on cpe facing interfaces. eg: the interface that faces your dial lan, or colocate lan, etc.. and on single ckt connections. You get into some cases where you have a customer that is doing more complicated things than just pointing default at you... (ie: they're multihomed, or have various netblocks, and do not announce them all to you or do policy routing inside their network). What problems are you seeing, as I've not had problems with this deployed in my network. I know that there have been ECM bugs in the past (equal cost multipath), and it not doing the rpf check correctly, but those problems should not affect most of the customers in the world. - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine. | "Waste Management Consultant" VOYN
|