North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Who does source address validation? (was Re: what's that smell?)
On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote: > If there is a magic solution, I would love to hear about it. to drop the rfc1918 space, there is a close to magic solution. install this on all your internal, upstream, downstream interfaces (cisco router) [cef required]: "ip verify unicast source reachable-via any" This will drop all packets on the interface that do not have a way to return them in your routing table. > Unfortunately, the only solutions I've seen involve considerable work and > resources to implement and maintain all the "exceptions" needed to do 100% > source address validation. Juniper has a somewhat viable solution to the 100% source validation for bgp customers. they will consider non-best paths in their unicast-rpf check on the customer interface. This means that even if 35.0.0.0/8 is best returned via your peer instead of via the provider the packet came in, but they are advertizing the prefix to you, you will not drop the packet. > Heck, the phone network still has trouble getting the correct Caller-ID > end-to-end. Uh, this is because it costs another 1/2 a cent a minute (or more) to provision a caller-id capable trunk (long distance) and people just don't want to pay the extra money and it's cheaper to not identify oneself. (This is why most telemarketers don't generate caller-id or if they can, they supress it). - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|