Todd Underwood was a little late

William Herrin bill at herrin.us
Fri Jun 18 10:27:57 CDT 2010


On Fri, Jun 18, 2010 at 9:21 AM, Steve Bertrand <steve at ipv6canada.com> wrote:
> On 2010.06.18 09:06, William Herrin wrote:
>> On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve at ipv6canada.com> wrote:
>
>> I'm not sure what that accomplishes. It doesn't close any doors. With
>> loose-mode RPF he can still forge packets from any address actually in
>> use.
>
> What it does, is prevents packets with the illegal IP address from
> actually being delivered to the intended destination within your network
> preserving some (perhaps a very small amount) of bandwidth/router resources.

Right, but to save that fractional bit of bandwidth you pay for an
extra TCAM or radix tree hit impacting every single packet entering
your system on your very expensive upstream border routers -- a
significant reduction in your hardware's capacity.

I get strict RPF - if you can guarantee symmetric routing (which you
often can in single-homed scenarios) it offers a meaningful
improvement in your network's security without configuration
management challenges at the cost of extra processing. But the
cost/benefit to loose RPF doesn't seem to come close to adding up in
any scenario that occurs to me.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list