North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
Wow, I wonder what cisco would do with my wish list: ip verify unicast reverse-exists i.e. only accept the packet on this interface if there is a route back to the source, *not necessarily on the same interface*.. This should be safe to use on all interfaces and could use the existing CEF FIB, and might catch a lot of spoofed packets on a good day. ip verify unicast destination-advertised This would check the destination address on any packet coming into an interface, and drop it if a route to that destination WASNT advertised out of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef tables, cisco would need to write an advertised-table for each interface. Again this should be safe to use on almost any interface. Regards James On Mon, 25 Sep 2000, Tony Tauber wrote: > I was the one who asked for something like it and a friendly > developer coded it up nice and quickly.
|