|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: no ip forged-source-address
On Wed, Oct 30, 2002 at 08:02:13PM +0100, Lars Erik Gullerud wrote: > > On Wed, 2002-10-30 at 16:44, [email protected] wrote: > > > Therefore, would it be a reasonable suggestion to ask router vendors to > > source address filtering in as an option[1] on the interface and then move > > it to being the default setting[2] after a period of time? This appeared > > to have some success with reducing the number of networks that forwarded > > broadcast packets (as with "no ip directed-broadcast"). > [snip] > > > [1] For example, an IOS config might be: > > > > interface fastethernet 1/0 > > no ip forged-source-address > > Well, this already exists, doesn't it? Try the following on your > customer-facing interface: > > ip verify unicast source reachable-via rx > > > [2] Network admins would still have the option of turning it off, but this > > would have to be explicitly configured. > > I have a feeling that having strict uRPF as the default setting on an > interface would be very badly received by a lot of ISP's. I know I > certainly wouldn't like it very much. > > Is it really the job of router vendors to protect the net from > lazy/incompetent/ignorant network admins? No, but I can't enable these features on all my router interfaces without causing delays/drops due to poor inital design quality and lack of long-term vision for linecards manufactured. The rush for time-to-market can cause you to lose in the long-term due to lack of features. - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|