BCP38 Deployment
Jon Lewis
jlewis at lewis.org
Thu Mar 29 23:31:26 UTC 2012
On Thu, 29 Mar 2012, Joe Provo wrote:
> uRFP was a trivial, 0-impact feature on the cisco VXR-based CMTS
> platform. Assert a simple statement in the default config (along
> with 'ips classless' and all your other standard config elements)
uRPF: or as it's now used in ios,
ip verify unicast source reachable-via rx ...
I don't know what it would have to do with ip classless. It requires ip
cef, but so do lots of other "features" including reasonably fast packet
forwarding.
> and job done. It assisted in reducing our abuse desk workload by
> eliminating a class of attacks from us, so the trivial "cost" was
> worth it in opex. ISTR it being on the required feature list for
> additional CMTS evaluations but it has been many years since I
> touched that kit.
uRPF stops your customers from sending forged source address
packets. Since forged source address packets are rarely traced back to
their actual source, I'm not sure how configuring it on your network would
reduce your abuse desk workload at all.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list