On Mon, 8 Mar 2004, E.B. Dreger wrote:
SD> Date: Sun, 7 Mar 2004 16:17:50 -0500 (EST) SD> From: Sean Donelan
SD> SAV doesn't tell you where the packets came from. At best SD> SAV tells you where the packets didn't come from.
If SAV were universal, source addresses could not be spoofed. If source addresses could not be spoofed...
in a perfect world yes, for today we still have LOTS of folks that firewall in one direction only. A great example of this is the great firewall of China :( How, if they are filtering every packet that leaves their country, can I still get attacked from them? :( Until this is a default behaviour and you can't screw it up (ala directed-broadcast) this will be something we all have to deal with.
SD> Have you noticed this thread is full of people who don't run SD> large networks saying other people who do run networks should SD> deploy SAV/uRPF.
1. SAV is most effective at the edge, which often implies the smaller networks should be doing it
excellent, the original point of the conversation has been satisfied... uRPF for the core is not a good plan, edge networks are a great place for this. Doing this on single homed customers is a great step in the right direction. However, as you say, the best place for this is on the edge of the network. So this implies that each edge LAN router will/should have uRPF or atleast an acl permitting only local LAN traffic to source from it, right? I have a question, I wonder if uRPF works on low end platforms without running CEF? Do all low-end platforms gracefully support CEF along with the other things enterprises typically do on routers? (just a question really...)
2. I've not seen large networks talking about their awful experiences with SAV.
it melts routers, good enough for you? Specifically it melts linecards :( my experience is only on Cisco equipment though, so the linecard/ios/rev games must be played. If you upgrade, or initially install, E3 cards a large portion of this care is not necessary though. This is a problem that could be migrated out as new equipment/capabilities hit everyone's networks. I suspect that market pressure will push things in this direction anyway over time.