North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: no ip forged-source-address

  • From: Lars Erik Gullerud
  • Date: Wed Oct 30 14:05:13 2002

On Wed, 2002-10-30 at 16:44, [email protected] wrote:

> Therefore, would it be a reasonable suggestion to ask router vendors to
> source address filtering in as an option[1] on the interface and then move
> it to being the default setting[2] after a period of time?  This appeared
> to have some success with reducing the number of networks that forwarded
> broadcast packets (as with "no ip directed-broadcast").
[snip] 

> [1] For example, an IOS config might be:
> 
> interface fastethernet 1/0
>  no ip forged-source-address

Well, this already exists, doesn't it? Try the following on your
customer-facing interface:

ip verify unicast source reachable-via rx

> [2] Network admins would still have the option of turning it off, but this 
> would have to be explicitly configured.

I have a feeling that having strict uRPF as the default setting on an
interface would be very badly received by a lot of ISP's. I know I
certainly wouldn't like it very much.

Is it really the job of router vendors to protect the net from
lazy/incompetent/ignorant network admins?

/leg