North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Who does source address validation? (was Re: what's that smell?)
On Tue, Oct 08, 2002 at 12:09:56PM -0400, Jeff Aitken wrote: > On Tue, Oct 08, 2002 at 11:49:41AM -0400, Jared Mauch wrote: > > > Of course, this is the IP RIB and may not include all the > > > potential paths in the BGP Adj-RIBs-In, right? As such, > > > you've still got the potential for asymmetric routing to > > > break things. > > > > No, this is "if i have a path in fib" back to this source, > > transmit else drop; > > Unless I'm missing something, that's what he said; fib == loc-rib > for the purposes of this discussion, and loc-rib is built from the > various adj-ribs-in. Correct, but it is not doing a check to see if it's returnable via the interface it came in, just if it's returnable at all. As the fib/rib is built off of the adj-rib-in (minus filtering and local policy), and the check on the cisco validates against the CEF (fib) table on the Linecard (or centralized CPU in the case of non-[fully-]distributed platforms) i wanted to clarify the check that is performed. > That said, I'm curious to know how asymmetric routing can break > this. As long as someone is sending (and you are installing) a > prefix that includes the source address this check will pass. > If you don't have a route back to the source at all, that isn't > asymmetric routing, it's network partitioning, assuming the source > is legitimate. Exactly. If I can't reach you, I don't want to have my hosts or routers spend more time than is necessary dealing with your requests. - Jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|