Who does source address validation? (was Re: what's that smell?)
Jared Mauch
jared at puck.Nether.net
Tue Oct 8 15:26:42 UTC 2002
On Tue, Oct 08, 2002 at 11:09:10AM -0400, Sean Donelan wrote:
> If there is a magic solution, I would love to hear about it.
to drop the rfc1918 space, there is a close to magic
solution.
install this on all your internal, upstream, downstream
interfaces (cisco router) [cef required]:
"ip verify unicast source reachable-via any"
This will drop all packets on the interface that do not
have a way to return them in your routing table.
> Unfortunately, the only solutions I've seen involve considerable work and
> resources to implement and maintain all the "exceptions" needed to do 100%
> source address validation.
Juniper has a somewhat viable solution to the 100% source
validation for bgp customers. they will consider non-best
paths in their unicast-rpf check on the customer interface. This
means that even if 35.0.0.0/8 is best returned via your
peer instead of via the provider the packet came in, but they
are advertizing the prefix to you, you will not drop the packet.
> Heck, the phone network still has trouble getting the correct Caller-ID
> end-to-end.
Uh, this is because it costs another 1/2 a cent a minute (or more)
to provision a caller-id capable trunk (long distance) and people just
don't want to pay the extra money and it's cheaper to not identify
oneself. (This is why most telemarketers don't generate caller-id
or if they can, they supress it).
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list