North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Who does source address validation? (was Re: what's that smell?)

  • From: Jared Mauch
  • Date: Tue Oct 08 12:21:10 2002

On Tue, Oct 08, 2002 at 12:09:56PM -0400, Jeff Aitken wrote:
> On Tue, Oct 08, 2002 at 11:49:41AM -0400, Jared Mauch wrote:
> > > Of course, this is the IP RIB and may not include all the 
> > > potential paths in the BGP Adj-RIBs-In, right?  As such, 
> > > you've still got the potential for asymmetric routing to 
> > > break things.
> > 
> > 	No, this is "if i have a path in fib" back to this source,
> > transmit else drop;
> 
> Unless I'm missing something, that's what he said; fib == loc-rib
> for the purposes of this discussion, and loc-rib is built from the
> various adj-ribs-in.

	Correct, but it is not doing a check to see if it's returnable
via the interface it came in, just if it's returnable at all.

	As the fib/rib is built off of the adj-rib-in (minus filtering
and local policy), and the check on the cisco validates against
the CEF (fib) table on the Linecard (or centralized CPU in the
case of non-[fully-]distributed platforms) i wanted to clarify the
check that is performed.

> That said, I'm curious to know how asymmetric routing can break
> this.  As long as someone is sending (and you are installing) a
> prefix that includes the source address this check will pass. 
> If you don't have a route back to the source at all, that isn't
> asymmetric routing, it's network partitioning, assuming the source
> is legitimate.

	Exactly.  If I can't reach you, I don't want to
have my hosts or routers spend more time than is necessary
dealing with your requests.

	- Jared
-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.