SYN spoofing and Ciscos crashing
Tony Tauber
ttauber at bbnplanet.com
Wed Jul 28 21:21:11 UTC 1999
On Wed, 28 Jul 1999 jlewis at lewis.org wrote:
>
> On Wed, 28 Jul 1999, bryan s. blank wrote:
>
> >
> > % ip verify unicast reverse-path
> > %
> > % and according to Paul Ferguson (co-author of RFC 2267) it's in use by
> > % many ISPs. Apparently this is very-low overhead. Paul has also indicated
> > % the use of extended access lists on Cisco routers is very low overhead,
> > % especially on routers using distributed express forwarding.
> >
> > while i hate to question mr. ferguson, it's my understanding
> > that many isps have found this feature to be unusable due to
> > network design.
>
> I just took out a 7206 by applying ip verify unicast reverse-path to a T3
> link on a PA2T3 and attempting to spoof packets from the POP on the other
> end of that T3.
>
> The 7206 is running c7200-inu-mz.111-25.CC. Fortunately, it rebooted
> after it crashed.
>
See:
CSCdm34439 - "configuring ip verify unicast return-path causes crash."
Found in 11.1(25)CC, fixed in 11.1(26.1)CC.
Release-note is
---------------
Configuring 'ip verify unicast return-path' on many interfaces may
cause crash.
---------------
As I recall, it gets tickled if there's multi-path stuff going on,
ie. multiple paths to a given destination, though it may not need
that to crash.
Just one other note:
This feature is NOT "unsuable due to network design".
True, it's isn't useful for multihomed destinations (eg. where a
customer is multihomed to different routers), but it is useful
in other cases which is typically the vast, vast majority.
Somewhat like Lojack, it's not crucial that it be absolutely ubiquitous,
every little bit helps the community at large.
Tony
More information about the NANOG
mailing list