On Wed, Mar 28, 2012 at 12:16, Leo Bicknell <bicknell@ufp.org> wrote:
Well, RFC3704 for one has updated the methods and tactics since BCP38 was written. Remember BCP38 was before even "unicast RPF" as we know it existed.
I think the concern of RFC3704/BCP84, i.e., multihoming, is the primary reason we don't see ingress filtering as much as we should. Almost any network worth its salt these days is multihomed, making strict RPF nearly impossible to pull off. Despite this, to my knowledge, Juniper is one of the only vendors that provides feasible-path RPF to deal with it. On Cisco and Brocade for example, you're stuck doing some dark voodoo magic with BGP weights & communities + strict RPF (refer to the previous money and laziness points) to accomplish something that SHOULD be basic. -- Darius Jahandarie