Hi Darius, Yes, I agree that feasible RPF solves the problem in a lot of scenarios. However, in some other cases, the asymmetric routing is caused by static routing, traffic engineering, policy routing, etc., where the lengths of forward path and reverse path may differ, so feasible RPF may also fail (false positive). Bingyang On Wed, Mar 28, 2012 at 7:07 PM, Darius Jahandarie <djahandarie@gmail.com> wrote:
On Wed, Mar 28, 2012 at 12:50, David Conrad <drc@virtualized.org> wrote:
I would be surprised if this were true.
I'd argue that today, the vast majority of devices on the Internet (and certainly the ones that are used in massive D(D)oS attacks) are found hanging off singly-homed networks.
Yes, but RPF can be implemented in places other than the customer edge. In those places, lack of widespread, easy, and vendor-supported feasible-path uRPF is what I believe really hurts things.
Granted, this is along a different line than what the OP was talking about, but in terms of answering the question of "why don't we see ingress filtering as much as we should?", I think it's a large factor.
-- Darius Jahandarie
-- Bingyang Liu Network Architecture Lab, Network Center,Tsinghua Univ. Beijing, China Home Page: http://netarchlab.tsinghua.edu.cn/~liuby