On Aug 18, 2008, at 6:33 AM, Jared Mauch wrote:
On a router with full routes (ie: no default) the command is:
Router(config-if)#ip verify unicast source reachable-via any
Go ahead and try it out. you can view the resulting drop counter via the 'show ip int <x/y>' command.
While you're at it, you also placed the reachable-via rx on all your customer interfaces. If you're paranoid, start with the 'any' rpf and then move to the strict rpf. The strict rpf also helps with routing loops.
That's a good point. My problem with "loose mode" RPF is that it subjects a packet's source address to ANY FIB entry existence only mitigates spoofing of non-routed ranges. All the interesting attacks today that employ spoofing (and the majority of the less-interesting ones that employ spoofing) are usually relying on existence of the source as part of the attack vector (e.g., DNS cache poisoning, BGP TCP RST attacks, DNS reflective amplification attacks, etc..), and as a result, loose mode gives folks a false sense of protection/action. -danny