Todd Underwood was a little late

Steve Bertrand steve at ipv6canada.com
Fri Jun 18 13:21:37 UTC 2010


On 2010.06.18 09:06, William Herrin wrote:
> On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve at ipv6canada.com> wrote:

>> If all IP blocks are tied down to null, and urpf is enabled in loose
>> mode on an interface, it will catch cases where someone is sourcing
>> traffic to you using IPs from the unassigned space that you have in your
>> free pools.

> I'm not sure what that accomplishes. It doesn't close any doors. With
> loose-mode RPF he can still forge packets from any address actually in
> use.

yes, that is correct. However, it stops someone from outside sending
your network packets with a source address that currently resides in one
of your free pools.

What it does, is prevents packets with the illegal IP address from
actually being delivered to the intended destination within your network
preserving some (perhaps a very small amount) of bandwidth/router resources.

For instance, if I send your mail server a packet with a source of one
of your IPs that you currently do not have in use and you don't have rpf
enabled, the forged packet will make it to the server, be sent back to
it's next-hop, and then be discarded (if you have tie downs).

With urpf enabled, the packet is discarded upon the first ingress into
the network, thereby preventing it from going any further. This is what
I use loose mode for anyway.

Steve




More information about the NANOG mailing list