North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: no ip forged-source-address
On Wed, 2002-10-30 at 16:44, [email protected] wrote: > Therefore, would it be a reasonable suggestion to ask router vendors to > source address filtering in as an option[1] on the interface and then move > it to being the default setting[2] after a period of time? This appeared > to have some success with reducing the number of networks that forwarded > broadcast packets (as with "no ip directed-broadcast"). [snip] > [1] For example, an IOS config might be: > > interface fastethernet 1/0 > no ip forged-source-address Well, this already exists, doesn't it? Try the following on your customer-facing interface: ip verify unicast source reachable-via rx > [2] Network admins would still have the option of turning it off, but this > would have to be explicitly configured. I have a feeling that having strict uRPF as the default setting on an interface would be very badly received by a lot of ISP's. I know I certainly wouldn't like it very much. Is it really the job of router vendors to protect the net from lazy/incompetent/ignorant network admins? /leg
|