> Not so fast, there are situations when you are authorized to have a certain > chunk of address space but elect not to advertise it a certain way for > whatever reason. Maybe someone has a pipe that they want to use for > outbound traffic only and they don't want to use it at all inbound traffic, > and as a result, they don't advertise their routes across it. What > justification do you use for dropping traffic that falls into this category? It's a general principle. Anyhow, they're going to get damned little inbound traffic unless they announce a route for it to *someplace*. I think the original *general* policy was "If we don't have ANY route for it, we don't accept the traffic", which sort of makes sense - how would you get through a TCP 3-way handshake if the SYN+ACK always got back a ICMP Host Unreachable? I saw no requirement that the routing not be assymetric, only that routing exist. I'm sure Mark Prior will correct me if I mis-read him... ;) Actually since we use "ip verify unicast reverse-path" we expect the route to come from the same place as the traffic. Mark.