Sriram, Kotikalapudi (Fed) wrote: > This work has been submitted to OPSEC WG. > Posting here also since it may be of interest to GROW WG members as well. > Comments/suggestions on this draft are welcome -- here or on the OPSEC list. > Thank you.
Sriram, this looks difficult to implement and easy to spoof. urpf is already hard enough to implement in hardware and my understanding is that it usually requires either packet recirculation for the SAV process or else a separate source address lookup per packet. If this lookup process is tied into other validation mechanisms which aren't available in the forwarding engine (e.g. common source ASN, etc), then there would be a requirement to punt packets, which is not viable. Could you explain how feasible urpf can avoid this situation? Nick _______________________________________________ GROW mailing list GROW@ietf.org https://www.ietf.org/mailman/listinfo/grow