North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN spoofing and Ciscos crashing

  • From: Tony Tauber
  • Date: Wed Jul 28 17:53:27 1999

On Wed, 28 Jul 1999 [email protected] wrote:

> On Wed, 28 Jul 1999, bryan s. blank wrote:
> > 
> > % 	ip verify unicast reverse-path
> > % 
> > % and according to Paul Ferguson (co-author of RFC 2267) it's in use by
> > % many ISPs. Apparently this is very-low overhead. Paul has also indicated
> > % the use of extended access lists on Cisco routers is very low overhead,
> > % especially on routers using distributed express forwarding.
> > 
> > 	while i hate to question mr. ferguson, it's my understanding
> > 	that many isps have found this feature to be unusable due to
> > 	network design.
> I just took out a 7206 by applying ip verify unicast reverse-path to a T3
> link on a PA2T3 and attempting to spoof packets from the POP on the other
> end of that T3.
> The 7206 is running c7200-inu-mz.111-25.CC.  Fortunately, it rebooted
> after it crashed.
CSCdm34439 - "configuring ip verify unicast return-path causes crash."
Found in 11.1(25)CC, fixed in 11.1(26.1)CC.
Release-note is
Configuring 'ip verify unicast return-path' on many interfaces may
cause crash.
As I recall, it gets tickled if there's multi-path stuff going on,
ie. multiple paths to a given destination, though it may not need
that to crash.
Just one other note: 
This feature is NOT "unsuable due to network design".
True, it's isn't useful for multihomed destinations (eg. where a
customer is multihomed to different routers), but it is useful
in other cases which is typically the vast, vast majority.
Somewhat like Lojack, it's not crucial that it be absolutely ubiquitous,
every little bit helps the community at large.