On Sun, 7 Mar 2004, E.B. Dreger wrote:
If SAV were universal (ha ha ha!), one could discount spoofed traffic when analyzing flows. But, hey, why bother playing nice and helping other networks, eh?
SAV doesn't tell you where the packets came from. At best SAV tells you where the packets didn't come from.
Am I the only one who's had IWFs -- even legitimate entities -- complain about packets "from your network" that weren't? It certainly would have been nice if $other_networks had used SAV.
You still need to spend the same amount of time tracing the flows because you can't tell from the packet itself if something went wrong with SAV. Even if everyone said they did SAV (and meant it), things like uRPF rely on a number of things to work correctly. If any of those break or aren't secure, you still can't rely on the source address being accurate. Even if you deployed SAV/uRPF on 100% of your network, you probably wouldn't want to tell people about it due to the idiots with firewalls.
SAV doesn't take long to implement. Considering the time spent discounting spoofing when responding to incidents, I think there would be a _net_ savings (no pun intended) in time spent responding to incidents.
You would be wrong. There are networks that have deployed SAV/uRPF. They saw no _net_ savings. In the real world, it costs more to deploy and maintain SAV/uRPF. Have you noticed this thread is full of people who don't run large networks saying other people who do run networks should deploy SAV/uRPF. But there hasn't been anyone who does run large networks saying they deployed SAV/uRPF and it saved them money, made their network run better or improved the world?