Force10 Gear - Opinions
james at towardex.com
Thu Sep 4 09:24:53 CDT 2008
> uRPF strict as a configuration default, on customers without possible
> asymmetry (multihoming, one-way tunneling, etc) is not a bad default.
> But when the customers increase in complexity, the time might come to
> relax things some. It's certainly not a be-all-end-all. And it's
> been demonstrated time after time here that anti-spoof/bogon filtering
> isn't even a factor in most large-scale attacks on the public Internet
> these days. Think massively sized, well connected, botnets. See also
> CP attacks (which, again, the F10 can't even help you with).
Indeed... In today's internet, protecting your own box (cp-policer/control
plane filtering) is far more important IMO than implementing BCP38 when much
of attack traffic comes from legitimate IP sources anyway (see botnets).
More information about the NANOG