RE: CEF RPF check w/ACLs (was: Re: netscan.org update)
What a novel idea.. :). That would put all my expect programmers out of business though.. o well. If there are any Cisco folks listening.. This just makes sense. Mark -- Mark Segal Director, Network Engineering Axxent Corp. Tel: (416)907-2858
-----Original Message----- From: James A. T. Rice [mailto:James_R-nanog@jump.org.uk] Sent: Thursday, September 28, 2000 9:49 AM To: nanog@merit.edu Subject: Re: CEF RPF check w/ACLs (was: Re: netscan.org update)
Wow, I wonder what cisco would do with my wish list:
ip verify unicast reverse-exists
i.e. only accept the packet on this interface if there is a route back to the source, *not necessarily on the same interface*.. This should be safe to use on all interfaces and could use the existing CEF FIB, and might catch a lot of spoofed packets on a good day.
ip verify unicast destination-advertised
This would check the destination address on any packet coming into an interface, and drop it if a route to that destination WASNT advertised out of that interface - /ideal/ for NAPs & IX's. Couldnt use the existing cef tables, cisco would need to write an advertised-table for each interface. Again this should be safe to use on almost any interface.
Regards James
On Mon, 25 Sep 2000, Tony Tauber wrote:
I was the one who asked for something like it and a friendly developer coded it up nice and quickly.
participants (1)
-
Segal, Mark