On Tue, Oct 08, 2002 at 09:34:19AM -0600, Danny McPherson wrote:
install this on all your internal, upstream, downstream interfaces (cisco router) [cef required]:
"ip verify unicast source reachable-via any"
This will drop all packets on the interface that do not have a way to return them in your routing table.
Of course, this is the IP RIB and may not include all the potential paths in the BGP Adj-RIBs-In, right? As such, you've still got the potential for asymmetric routing to break things.
No, this is "if i have a path in fib" back to this source, transmit else drop; It does not validate that it is reachable via that interface, just reachable at all. so as long as you aren't null routing 1918 space in your network to drop packets destined for 1918 space, it will determine there is no route (back) and drop it.
Juniper has a somewhat viable solution to the 100% source validation for bgp customers. they will consider non-best paths in their unicast-rpf check on the customer interface. This means that even if 35.0.0.0/8 is best returned via your peer instead of via the provider the packet came in, but they are advertizing the prefix to you, you will not drop the packet.
What's a "bgp customer"? Can they support 500K+ uRPF entries here?
I'm not sure what the hardware limitations on the Juniper router are with this unicast rpf. It was introduced recently (I think in 5.3?) and i personally have not done a significant amount of testing with it. I'm just offering it as general knowledge for those that aren't aware that Juniper has unicast rpf, and that it is somewhat different from the cisco per-interface model as well as offering a different type of check that may address some peoples design issues. (this uses the bgp adj-rib-in info), not the cisco check i describe above. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.