On Fri, Jun 18, 2010 at 9:21 AM, Steve Bertrand <steve@ipv6canada.com> wrote:
On 2010.06.18 09:06, William Herrin wrote:
On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve@ipv6canada.com> wrote:
I'm not sure what that accomplishes. It doesn't close any doors. With loose-mode RPF he can still forge packets from any address actually in use.
What it does, is prevents packets with the illegal IP address from actually being delivered to the intended destination within your network preserving some (perhaps a very small amount) of bandwidth/router resources.
Right, but to save that fractional bit of bandwidth you pay for an extra TCAM or radix tree hit impacting every single packet entering your system on your very expensive upstream border routers -- a significant reduction in your hardware's capacity. I get strict RPF - if you can guarantee symmetric routing (which you often can in single-homed scenarios) it offers a meaningful improvement in your network's security without configuration management challenges at the cost of extra processing. But the cost/benefit to loose RPF doesn't seem to come close to adding up in any scenario that occurs to me. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004