uRPF-based Blackhole Routing System Overview
tkernen at deckpoint.ch
Tue Nov 18 21:16:16 UTC 2003
Catching up on the thread.. vendor C also calls it "IP Source-guard" on the
Cat 4K in IOS. And it acually works quite well (does require DHCP snooping).
----- Original Message -----
From: "Scott McGrath" <mcgrath at fas.harvard.edu>
To: <nanog at merit.edu>
Sent: Wednesday, November 12, 2003 5:17 PM
Subject: Re: uRPF-based Blackhole Routing System Overview
> Vendor C calls it DHCP snooping and to the best of my knowledge it is only
> available under IOS not CatOS
> Scott C. McGrath
> On Fri, 7 Nov 2003, Greg Maxwell wrote:
> > On Fri, 7 Nov 2003, Robert A. Hayden wrote:
> > [snip]
> > > One final note. This system is pretty useless for modem pools, VPN
> > > concentrators, and many DHCP implementations. The dynamic IP nature
> > > these setups means you will just kill legitimate traffic next time
> > > gets the IP. You can attempt to correlate your detection with the
> > > they were handed out, of course, in the hopes you find them.
> > Another approach to address this type of problem is the source spoofing
> > preventing dynamic-acls support that some vendors have been adding to
> > their products. I don't know if it's in anyone's production code-trains
> > yet.
> > The basic idea is that your switch snoops DHCP traffic to the port and
> > generates an ACL based on the address assigned to the client. Removing a
> > host is as simple as configuring your DHCP server to ignore it's
> > and perhaps sending a crafty packet (custom written DECLINE) to burp the
> > existing ACL out of the switch.
> > Vendor F calls this feature "Source IP Port Security", I'm not sure what
> > vendor C calls it.
> > Since this is a layer 2 feature you can configure it far out on the edge
> > and not just at the router.
More information about the NANOG