Nick, Thanks for your comments.
>this looks difficult to implement and easy to spoof. urpf is already hard >enough to implement in hardware and my understanding is that it usually >requires either packet recirculation for the SAV process or else a separate >source address lookup per packet. If this lookup process is tied into other >validation mechanisms which aren't available in the forwarding engine (e.g. >common source ASN, etc), then there would be a requirement to punt packets, >which is not viable. The common source ASN checking is performed on BGP updates in the control plane (not in the data path), and that results in adding some additional allowed prefixes (for particular interfaces) to the Reverse Path Filter (RPF) list for SAV. I don't think this would result in other validation mechanisms which aren't available in the forwarding engine. The data plane would perform the usual uRPF check: Does the SA in the data packet belong in a prefix in the RPF list for the interface it was received on? So there shouldn't be any requirement to punt data packets. If there are specific implementation details that I should be aware of, please let me know. I would be very interested. Sriram -----Original Message----- From: Nick Hilliard [mailto:[email protected]] Sent: Tuesday, November 01, 2016 12:16 PM To: Sriram, Kotikalapudi (Fed) <[email protected]> Cc: [email protected] Subject: Re: [GROW] Fw: New Version Notification for draft-sriram-opsec-urpf-improvements-00.txt Sriram, Kotikalapudi (Fed) wrote: > This work has been submitted to OPSEC WG. > Posting here also since it may be of interest to GROW WG members as well. > Comments/suggestions on this draft are welcome -- here or on the OPSEC list. > Thank you. Sriram, this looks difficult to implement and easy to spoof. urpf is already hard enough to implement in hardware and my understanding is that it usually requires either packet recirculation for the SAV process or else a separate source address lookup per packet. If this lookup process is tied into other validation mechanisms which aren't available in the forwarding engine (e.g. common source ASN, etc), then there would be a requirement to punt packets, which is not viable. Could you explain how feasible urpf can avoid this situation? Nick _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
