Where is the edge of the Internet? Re: no ip forged-source-address

Måns Nilsson mansaxel at sunet.se
Tue Nov 5 09:10:10 UTC 2002

Hash: SHA1

- --On Monday, November 04, 2002 19:22:14 -0500 bdragon at gweep.net wrote:

> So, in this vein, is there gear other than old 12000 linecards that
> can't do RPF? Is anyone still using 2500's or 4500's?
> What non-hardware reasons are there not to do some flavor of rpf? Is
> there a situation where even loose rpf will not work?

SUNET has had a standing recommendation to its customers to enable RPF for
a couple of years now. Our customers come in two flavours, big and small.
The small ones get a FE, and there typically is marginal clue at the
customer site. For them we do "the long command" (ip verify unicast
reverse-path), as it has been known, in the access router, which in the
weird scale of a REN is a 12016 or a 12010 chock full with 8-port FE cards.
It keeps up with the load, and we've not seen any trouble so far. 

The big customers are more interesting. They have redundant connections,
two  10720 routers on an OC48 SRP ring facing the backbone routers for that
city which are two 12408 or similar. There also is an AS transition on the
ring; nearly all our big customers have ASen and we speak BGP to them. This
setup of course means that traffic may enter via one of the routers and
exit via the other, leading to strangeness and confusion, especially when
the customer staff is less experienced in non-trivial routing. 

In some cases we've helped them solve this by simple access lists, but that
is a bit too static to be really nice. 

- -- 
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC  MN1334-RIPE

We're sysadmins. To us, data is a protocol-overhead.
Version: GnuPG v1.0.7 (OpenBSD)


More information about the NANOG mailing list