On 2010.06.18 09:06, William Herrin wrote:
On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve@ipv6canada.com> wrote:
If all IP blocks are tied down to null, and urpf is enabled in loose mode on an interface, it will catch cases where someone is sourcing traffic to you using IPs from the unassigned space that you have in your free pools.
I'm not sure what that accomplishes. It doesn't close any doors. With loose-mode RPF he can still forge packets from any address actually in use.
yes, that is correct. However, it stops someone from outside sending your network packets with a source address that currently resides in one of your free pools. What it does, is prevents packets with the illegal IP address from actually being delivered to the intended destination within your network preserving some (perhaps a very small amount) of bandwidth/router resources. For instance, if I send your mail server a packet with a source of one of your IPs that you currently do not have in use and you don't have rpf enabled, the forged packet will make it to the server, be sent back to it's next-hop, and then be discarded (if you have tie downs). With urpf enabled, the packet is discarded upon the first ingress into the network, thereby preventing it from going any further. This is what I use loose mode for anyway. Steve