On Mon, 24 Mar 2008, Darrel Lewis (darlewis) wrote:
|> uRPF is one example of an implementation of this type of sanity
|> checking.
|> You can also do it via ACLs. The concept is the same either way.
|
|Okay and what was your point?
Simply this: if return packets leaving a LISP site, headed
for a non-LISP site, use a EID as the source address, then it
is highly likely that the packets will be dropped due to the
source address filtering.
It would pass a lose-mode check since the route is in the table, which
is the current best practice for multi-homed networks.
This may depend on the ISP and the size of multi-homed network.
In general, I disagree with this categorical statement. Strict uRPF
works just fine with multihomed customers. Even when the traffic is
asymmetric. See BCP84 and draft-savola-bcp84-urpf-experiences-03.txt
for more.
Loose RPF towards a customer is not very useful.
A site originating traffic from its non-routable source addresses is
akin to Mobile IP designs. Initially they thought it was OK to use
the home address to source packets from anywhere but in the end they
needed to deploy reverse tunneling. Here, instead of a mobile IP host
we have an endsite which may or may not use BGP or some other protocol
to advertise some other part of its address space.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--
to unsubscribe send a message to [EMAIL PROTECTED] with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg
