Visser, Martin (Sydney) wrote:
> Absolutely and this should be done as part of any anti-spoofing in a
> firewall and router facing a hostile network. I just wanted to clarify
> that it is not an IP routing function per se, rather it is a something
> that has to be explicitly configured. ( Apart from security reasons you
> may want to send traffic via different routes depending on the customer
> source address because of the service they are paying for)
The explicit configuration is true of routers shipping today.
There's a fair amount of agitation within Cisco to make
"ip verify" the default. These agitators feel that ISPs
should have enough clue to disable it on PE-PE interfaces.
The summary is:
Run "ip verify" on all interfaces which
- learn an exterior default (as it will then reject packets with
*your* source addresses)
- are leaf subnets within your network
Maybe run "ip verify" on other interfaces, but it adds
no additional value to that above.
Do not run IP verify on interfaces which can be part of
an asymetric routing path. These are provider-provider interfaces
and interfaces on policy routed paths.
It is likely that the ACA will issue a Technical Determination
requiring the above from telco ISPs.
--
Glen Turner Network Engineer
(08) 8303 3936 Australian Academic and Research Network
[EMAIL PROTECTED] http://www.aarnet.edu.au/
--
The revolution will not be televised, it will be digitised
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
