Force10 Gear - Opinions

James Jun james at towardex.com
Thu Sep 4 09:24:53 CDT 2008


> uRPF strict as a configuration default, on customers without possible
> asymmetry (multihoming, one-way tunneling, etc) is not a bad default.
> But when the customers increase in complexity, the time might come to
> relax things some.  It's certainly not a be-all-end-all.  And it's
> been demonstrated time after time here that anti-spoof/bogon filtering
> isn't even a factor in most large-scale attacks on the public Internet
> these days.  Think massively sized, well connected, botnets.  See also
> CP attacks (which, again, the F10 can't even help you with).

Indeed... In today's internet, protecting your own box (cp-policer/control
plane filtering) is far more important IMO than implementing BCP38 when much
of attack traffic comes from legitimate IP sources anyway (see botnets). 

james






More information about the NANOG mailing list