On Wed, 2002-10-30 at 16:44, variable@ednet.co.uk wrote:
Therefore, would it be a reasonable suggestion to ask router vendors to source address filtering in as an option[1] on the interface and then move it to being the default setting[2] after a period of time? This appeared to have some success with reducing the number of networks that forwarded broadcast packets (as with "no ip directed-broadcast"). [snip]
[1] For example, an IOS config might be:
interface fastethernet 1/0 no ip forged-source-address
Well, this already exists, doesn't it? Try the following on your customer-facing interface: ip verify unicast source reachable-via rx
[2] Network admins would still have the option of turning it off, but this would have to be explicitly configured.
I have a feeling that having strict uRPF as the default setting on an interface would be very badly received by a lot of ISP's. I know I certainly wouldn't like it very much. Is it really the job of router vendors to protect the net from lazy/incompetent/ignorant network admins? /leg