> Let me try to help by providing a more detailed listing of > why address filtering is not done in some networks: > a) there is legacy equipment which doesn't have line-rate > filtering capability > b) network is sufficiently large and complex that defining > the border of your network is almost impossible (may apply to > some Tier1 > networks) > c) setting up some filtering solutions may be error-prone > unless done carefully in some asymmetric/flapping routing > etc. scenarios > d) it isn't considered worth the time to do so, unless > there is clearer benefit or e.g. law requirements
E) There isn't any perceived new revenue to the network generated from turning on sources address policing. "E" is the #1 reason I've run into with SPs for not deploying source address policing. Comment on the draft - L3 source validation we OK 10 years ago - but not today. It has to be a L2/L3 source check today. This is why there are more ports configured with DHCP Lease Query and IP Source Verify (both L2/L3 source checks) then with uRPF Strict. _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
