Note that RPF checks aren't foolproof; asymmetric
routes can cause them to kill off traffic that
shouldn't be killed. My best guess of why RPF
checks have become popular is that they're really
trivial for routers to perform and enforce (just a
FIB lookup). The same protection could be provided
via L3+ filtering, though the configuration and
performance is more problematic (though not overly
so, IMO).
Just as a note: RPF needs to be done at the edges
of the trust boundary, not the first hop router.
Mike
Glenn Morrow writes:
> Definitely not for IPv4 due to its deployed base but perhaps it could be
> done for IPv6 - it is an idea - why not?
>
> -----Original Message-----
> From: Edward Vielmetti [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 18, 2001 12:41 PM
> To: Morrow, Glenn [RICH2:C330:EXCH]
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
>
> And you're going to mandate source filtering on the first hop across the
> entire internet, how? It's a great idea and a best common practice but
> not something that can be set by fiat.
>
> Ed
>
> On Wed, 18 Apr 2001, Glenn Morrow wrote:
>
> > Then again if source filtering is mandated on the first hop this might
> > eliminate the need to do filtering on other hops and this would eliminate
> > the need to do subnet translation or tunneling by either the MN or the MR.
> >
> > -----Original Message-----
> > From: Morrow, Glenn [RICH2:C330:EXCH]
> > Sent: Wednesday, April 18, 2001 11:56 AM
> > To: 'Michael Thomas'
> > Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> > '[EMAIL PROTECTED]'
> > Subject: RE: Source addresses, DDoS prevention and ingress filtering
> >
> >
> > Oh, I see what you were concerned about. It seems to me that an MR will
> have
> > to tunnel or subnet translate unless it is on it's home subnet.
> >
> > -----Original Message-----
> > From: Michael Thomas [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, April 18, 2001 9:49 AM
> > To: Morrow, Glenn [RICH2:C330:EXCH]
> > Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> > '[EMAIL PROTECTED]'
> > Subject: RE: Source addresses, DDoS prevention and ingress filtering
> >
> >
> > Glenn Morrow writes:
> > > If the node behind the MR obtained its home address from the the
> mobile
> > > router's subnet, then the MN will use this as the source i.e. the MN's
> > home
> > > subnet is the MR's subnet.
> >
> > Right, but when the MR's upstream router does an
> > RPF check... it will drop the SN's packets.
> >
> > > Either way (tunneling or subnet translation), the topological
> correctness
> > is
> > > still maintained.
> >
> > Well, that's sort of the problem. The SN doesn't
> > know that it's putting topologically incorrect
> > source address in the IP header.
> >
> > Mike
> >
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.59">
> <TITLE>RE: Source addresses, DDoS prevention and ingress filtering</TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=2>Definitely not for IPv4 due to its deployed base but perhaps it
>could be done for IPv6 - it is an idea - why not?</FONT>
> </P>
>
> <P><FONT SIZE=2>-----Original Message-----</FONT>
> <BR><FONT SIZE=2>From: Edward Vielmetti [<A
>HREF="mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</A>]</FONT>
> <BR><FONT SIZE=2>Sent: Wednesday, April 18, 2001 12:41 PM</FONT>
> <BR><FONT SIZE=2>To: Morrow, Glenn [RICH2:C330:EXCH]</FONT>
> <BR><FONT SIZE=2>Cc: Michael Thomas; Thomas Eklund;
>'[EMAIL PROTECTED]';</FONT>
> <BR><FONT SIZE=2>'[EMAIL PROTECTED]'</FONT>
> <BR><FONT SIZE=2>Subject: RE: Source addresses, DDoS prevention and ingress
>filtering</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=2>And you're going to mandate source filtering on the first hop across
>the</FONT>
> <BR><FONT SIZE=2>entire internet, how? It's a great idea and a best common
>practice but</FONT>
> <BR><FONT SIZE=2>not something that can be set by fiat.</FONT>
> </P>
>
> <P><FONT SIZE=2>Ed</FONT>
> </P>
>
> <P><FONT SIZE=2>On Wed, 18 Apr 2001, Glenn Morrow wrote:</FONT>
> </P>
>
> <P><FONT SIZE=2>> Then again if source filtering is mandated on the first hop
>this might</FONT>
> <BR><FONT SIZE=2>> eliminate the need to do filtering on other hops and this
>would eliminate</FONT>
> <BR><FONT SIZE=2>> the need to do subnet translation or tunneling by either the
>MN or the MR.</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> -----Original Message-----</FONT>
> <BR><FONT SIZE=2>> From: Morrow, Glenn [RICH2:C330:EXCH] </FONT>
> <BR><FONT SIZE=2>> Sent: Wednesday, April 18, 2001 11:56 AM</FONT>
> <BR><FONT SIZE=2>> To: 'Michael Thomas'</FONT>
> <BR><FONT SIZE=2>> Cc: Michael Thomas; Thomas Eklund;
>'[EMAIL PROTECTED]';</FONT>
> <BR><FONT SIZE=2>> '[EMAIL PROTECTED]'</FONT>
> <BR><FONT SIZE=2>> Subject: RE: Source addresses, DDoS prevention and ingress
>filtering</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> Oh, I see what you were concerned about. It seems to me that
>an MR will have</FONT>
> <BR><FONT SIZE=2>> to tunnel or subnet translate unless it is on it's home
>subnet.</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> -----Original Message-----</FONT>
> <BR><FONT SIZE=2>> From: Michael Thomas [<A
>HREF="mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]</A>]</FONT>
> <BR><FONT SIZE=2>> Sent: Wednesday, April 18, 2001 9:49 AM</FONT>
> <BR><FONT SIZE=2>> To: Morrow, Glenn [RICH2:C330:EXCH]</FONT>
> <BR><FONT SIZE=2>> Cc: Michael Thomas; Thomas Eklund;
>'[EMAIL PROTECTED]';</FONT>
> <BR><FONT SIZE=2>> '[EMAIL PROTECTED]'</FONT>
> <BR><FONT SIZE=2>> Subject: RE: Source addresses, DDoS prevention and ingress
>filtering</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> Glenn Morrow writes:</FONT>
> <BR><FONT SIZE=2>> > If the node behind the MR obtained its home address
>from the the mobile</FONT>
> <BR><FONT SIZE=2>> > router's subnet, then the MN will use this as the
>source i.e. the MN's</FONT>
> <BR><FONT SIZE=2>> home</FONT>
> <BR><FONT SIZE=2>> > subnet is the MR's subnet.</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> Right, but when the MR's upstream router
>does an</FONT>
> <BR><FONT SIZE=2>> RPF check... it will drop the SN's
>packets.</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> > Either way (tunneling or subnet translation), the
>topological correctness</FONT>
> <BR><FONT SIZE=2>> is</FONT>
> <BR><FONT SIZE=2>> > still maintained.</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>> Well, that's sort of the problem. The SN
>doesn't</FONT>
> <BR><FONT SIZE=2>> know that it's putting topologically
>incorrect</FONT>
> <BR><FONT SIZE=2>> source address in the IP header.</FONT>
> <BR><FONT SIZE=2>> </FONT>
> <BR><FONT SIZE=2>>
> Mike</FONT>
> <BR><FONT SIZE=2>> </FONT>
> </P>
>
> </BODY>
> </HTML>
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
