In message <199609240803.BAA03576@quest.quake.net>, Vadim Antonov writes:
Basing this on the AdjRibIn is a more work than just reversing the sense of the Fib but it does cover quite a few more cases. Though not all of them.
No, not of course; but more than enough to be practical. A _lot_ more practical than manually (or semi-automatically) maintained access lists which do not provide any "visible" benefit.
The transit providers still need to be able to trace attacks after the fact since there is no filter that covers these cases...
Absolutely. When other things do not help :)
and filters at the fringes will be spotty deplomyments.
That's why i want reverse-route verification to be _default_ behaviour of routers. A person who knows how to use asymmetric routing would know how to turn the feature off. A person who is clueless or simply doesn't care will leave default as is.
--vadim
Vadim, I guess you missed what I proposed earlier. It was similar though the Fib was used so it only worked for single homed connections. The advantage was simplicity. All that needed to be changed was the forwarding code. Your proposal involves the AdjRibIn which would require BGP code changing flags on the forwarding entries. A bit more work for the router developers but covers more cases. We both proposed turning this on by default with cluefull people who knew routing would be assymetric turning it off. Curtis