On Sat, 5 May 2007, Daniel Melameth wrote: > I definitely see the value of urpf-failed-especially in bgp or similar > environments. The question I have is, is this an "expensive" way to prevent > spoofing? In other works, does it use significantly more CPU time when > compared to something like antispoof?
Yes, URPF requires an extra route lookup per packet whereas antispoof expands to a static set of rules. > Also, does urpf-failed "flag" > incoming packets that are sourced with the same IP as the firewall like > antispoof does? I'm not sure what you mean here, but I don't think pf 'in' rules are applied to locally generated packets. -d
