On Sun, 3 Jun 2007, Vishwas Manral wrote:
The idea is that for every router the packet goes through, we need to
check the IP address of all the interface addresses, and make sure
that the none of the interface address either before or after in the
source routing header match any of the IP address of the packet.
Not sure whether this is worth doing in the first place, but just to
get the story straight:
By 'goes through', do you also intermediate routers which are do not
need to process the routing header in any way (i.e.: are never in
"Destination Address" field of the routing header)?
If yes, this would require punting packets from hardware forwarding to
the control processor which is IMHO a non-starter.
Yes RPF check could be helpful too. But I am unsure how it would
behave in case of ECMP other other anomaly cases.
Maybe Jeroen meant to refer to ingress/egress filtering in general,
not just uRPF. Strict uRPF is usually applied around the edges of the
network (where the size and definion of 'network' varies). Other
kinds of ingress/egress ACLs (usually static / automatically generated
ones) can be better applied at peering/upstream/etc. borders. Having
such ACLs prevents almost all RH0 looping abuse. (There is a scenario
Gert Döring mentioned where you loop between backbone routers within
the target organization but that can be eliminated by disabling RH0
processing in that organization's routers' control plane).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
