Once upon a time, John Kristoff <jtk@aharp.is-net.depaul.edu> said:
It might be nice if all router vendors were able to associate the
interface configured address(es)/nets as a variable for ingress
filters. So for in the Cisco world, a simple example would be:
interface Serial0
ip address 192.0.2.1 255.255.255.128
ip access-group 100 in
!
interface Serial1
ip address 192.0.2.129 255.255.255.128
ip access-group 100 in
!
access-list 100 permit ip $interface-routes any
access-list 100 deny ip any any
How is this different than "ip verify unicast reverse-path" (modulo CEF
problems and bugs, which of course NEVER happen :-) )?
Multihomed customers are more interesting, but if all the single homed
customers had uRPF (or $VENDOR's equivalent) enabled it would cut down
on a significant amount of the spoofed traffic.