North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: CEF RPF check w/ACLs (was: Re: update)

  • From: James A. T. Rice
  • Date: Thu Sep 28 09:53:16 2000

Wow, I wonder what cisco would do with my wish list:

ip verify unicast reverse-exists

i.e. only accept the packet on this interface if there is a route back to
the source, *not necessarily on the same interface*..
This should be safe to use on all interfaces and could use the existing
CEF FIB, and might catch a lot of spoofed packets on a good day.

ip verify unicast destination-advertised

This would check the destination address on any packet coming into an
interface, and drop it if a route to that destination WASNT advertised out
of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef
tables, cisco would need to write an advertised-table for each
interface. Again this should be safe to use on almost any interface.


On Mon, 25 Sep 2000, Tony Tauber wrote:

> I was the one who asked for something like it and a friendly
> developer coded it up nice and quickly.