Network Operators and smurf

Havard.Eidnes at Havard.Eidnes at
Sat Apr 25 16:19:26 UTC 1998

> > 2. Routers/Gateways should be configured to drop all packets
> > with invalid source addresses.
> >
> > The problem is us.  This isn't a research network run and
> > maintained by the knowledgable.  This is a business.  We're
> > selling a product, and if we expect it to operate as
> > advertised, it's up to us to educate those we sell it to.
> The problem isn't us.  It's cicso, and Bay, and Ascend,
> and... everyone who won't put an anti-forging filter on their
> border routers so we _can_ turn it on.  The first time someone
> co-sues cisco, it'll get fixed with 30 days.

Current recipe for anti-forging with Cisco hardware:

 o Pick up CEF code (11.1(17)CC, which doesn't yet (?) exist for all
   Cisco platforms, unfortunately)

 o Configure:

   ip cef switch
   ! or "ip cef distributed switch" for an RSP+VIP2 based box
   interface whatever
     ip verify unicast reverse-path

This should (naturally) be implemented where routing is symmetric
and where a "reverse-path check" (looking up the source address in
the routing table to find the "expected" incoming interface and
checking whether the packet did indeed enter through that interface)
makes sense.  If you have Ascend/Livingston or other dial-up
equipment this check should probably be implemented in the closest
up-stream router which has this capability, and definately not in a
router which could take part in asymmetric traffic patterns.

- Håvard

More information about the NANOG mailing list