North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Who does source address validation? (was Re: what's that smell?)

  • From: Jared Mauch
  • Date: Tue Oct 08 11:52:44 2002

On Tue, Oct 08, 2002 at 09:34:19AM -0600, Danny McPherson wrote:
> 
> 
> > 	install this on all your internal, upstream, downstream
> > interfaces (cisco router) [cef required]:
> > 
> > "ip verify unicast source reachable-via any"
> > 
> > 	This will drop all packets on the interface that do not
> > have a way to return them in your routing table.
> 
> Of course, this is the IP RIB and may not include all the 
> potential paths in the BGP Adj-RIBs-In, right?  As such, 
> you've still got the potential for asymmetric routing to 
> break things.

	No, this is "if i have a path in fib" back to this source,
transmit else drop;

	It does not validate that it is reachable via that interface, just
reachable at all.

	so as long as you aren't null routing 1918 space in your network
to drop packets destined for 1918 space, it will determine there is no
route (back) and drop it.


>  
> > 	Juniper has a somewhat viable solution to the 100% source
> > validation for bgp customers.  they will consider non-best
> > paths in their unicast-rpf check on the customer interface.  This
> > means that even if 35.0.0.0/8 is best returned via your
> > peer instead of via the provider the packet came in, but they
> > are advertizing the prefix to you, you will not drop the packet.
> 
> What's a "bgp customer"?  Can they support 500K+ uRPF entries here?

	I'm not sure what the hardware limitations on the Juniper
router are with this unicast rpf.  It was introduced
recently (I think in 5.3?) and i personally have not done a
significant amount of testing with it.  I'm just offering it as
general knowledge for those that aren't aware that Juniper
has unicast rpf, and that it is somewhat different from
the cisco per-interface model as well as offering a different
type of check that may address some peoples design issues.

	(this uses the bgp adj-rib-in info), not the cisco check i
describe above.

	- jared

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.