nanog mailing list archives
Re: Todd Underwood was a little late
From: Steve Bertrand <steve () ipv6canada com>
Date: Fri, 18 Jun 2010 09:21:37 -0400
On 2010.06.18 09:06, William Herrin wrote:
On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve () ipv6canada com> wrote:
If all IP blocks are tied down to null, and urpf is enabled in loose mode on an interface, it will catch cases where someone is sourcing traffic to you using IPs from the unassigned space that you have in your free pools.
I'm not sure what that accomplishes. It doesn't close any doors. With loose-mode RPF he can still forge packets from any address actually in use.
yes, that is correct. However, it stops someone from outside sending your network packets with a source address that currently resides in one of your free pools. What it does, is prevents packets with the illegal IP address from actually being delivered to the intended destination within your network preserving some (perhaps a very small amount) of bandwidth/router resources. For instance, if I send your mail server a packet with a source of one of your IPs that you currently do not have in use and you don't have rpf enabled, the forged packet will make it to the server, be sent back to it's next-hop, and then be discarded (if you have tie downs). With urpf enabled, the packet is discarded upon the first ingress into the network, thereby preventing it from going any further. This is what I use loose mode for anyway. Steve
Current thread:
- Re: Todd Underwood was a little late, (continued)
- Re: Todd Underwood was a little late Jon Lewis (Jun 16)
- Re: Todd Underwood was a little late Mark Andrews (Jun 16)
- Re: Todd Underwood was a little late Roy (Jun 16)
- Re: Todd Underwood was a little late Garrett Skjelstad (Jun 16)
- Re: Todd Underwood was a little late Brian Feeny (Jun 17)
- Re: Todd Underwood was a little late William Herrin (Jun 17)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late Chris Adams (Jun 18)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late William Herrin (Jun 18)
- Re: Todd Underwood was a little late Steve Bertrand (Jun 18)
- Re: Todd Underwood was a little late William Herrin (Jun 18)
- Re: Todd Underwood was a little late Jon Lewis (Jun 16)
- Re: Todd Underwood was a little late Owen DeLong (Jun 17)
- Re: Todd Underwood was a little late Frank Habicht (Jun 18)
- Re: Todd Underwood was a little late Christopher Morrow (Jun 17)
- Re: Todd Underwood was a little late Todd Underwood (Jun 17)
- RE: Todd Underwood was a little late Lee Howard (Jun 18)
- Re: Todd Underwood was a little late Michael Dillon (Jun 19)
- Re: Todd Underwood was a little late deleskie (Jun 19)
