down sev0?

Jared Mauch jared at
Thu Oct 26 11:25:51 UTC 2006

On Thu, Oct 26, 2006 at 06:03:54AM +0000, Fergie wrote:
> Randy,
> I don't think I implied anything of the sort.
> I did, however, pipe up when a BCP is mentioned that I endorse,
> and co-authored -- and likewise, cannot figure out for life of
> me, why there is such push-back from the Ops community on doing
> The Right Thing.

	The challenge is that the router vendors still haven't
done "The Right Thing".

	I have one device that

1) halves its forwarding table space by enabling u-rpf
2) can only do either strict or loose mode rpf *GLOBALLY* so I can
   not strict rpf-check a static customer AND loose rpf someone
   larger for unrouted space.

	because of the above (#1 isn't that bad, but #2 is)
I can't enable u-rpf on the device as a policy.  Changing one
interface from loose -> strict silently changes all other u-rpf
interfaces and then customers gripe about dropped packets.

	obviously moving these checks closer to the edge
is ideal, such as always doing rpf on the ethernet lan
interface for your customer CPE.

> Having said that, botnets don't need to spoof addresses -- the
> sheer dispersion of geographic and AS infection base renders the
> whole point of spoofing almost moot.

	yup, it's an evolving threat, even if some solution to the
botnet problem is discovered, it will take years to fix.  Think of
the smurf amplifiers that are still out there[1].

	- jared

1 -

Jared Mauch  | pgp key available via finger from jared at
clue++;      |  My statements are only mine.

More information about the NANOG mailing list