On Tue, 19 Aug 2008, Kevin Loch wrote:
While you're at it, you also placed the reachable-via rx on
all your customer interfaces. If you're paranoid, start with the 'any'
rpf and then move to the strict rpf. The strict rpf also helps with
routing loops.
Be careful not to enable strict rpf on multihomed customers. This includes
any bgp customer unless you know for sure they are single homed to you and
that will not
change.
Isn't it time to change the assumption that sending arbitrary source IP
addresses without checking is Ok?
Unless the customer has specifically told their ISP about all the IP
addresses they intend to use as source IP addresses, shouldn't the default
be to drop those packets.
If those multi-homed customers have not told their upstream ISPs about
additional source IP addresses (hopefully also registered/authorized for
use by the same customer) why can they still send packets with those
source addresses? Instead shouldn't you say "Be careful if you are a
using source IP addresses without informing your upstream."
In practice, how many multi-homed customers send packets with unannounced
source IP addresses? And for those customers which do, why is the ISP
unable to implement any of the alternative source IP checking options,
such as using a ACL with uRPF or on the interface?