[AusNOG] VoIP Hack Attempts
Julien Goodwin
ausnog at studio442.com.au
Tue Sep 28 09:29:11 EST 2010
On 28/09/10 09:18, craig at askings.com.au wrote:
> It does if you do the following to your upstream transit ports, if you are
> running Cisco. I don't think the Juniper equivalent command can be made
> quite so specific.
>
> ip verify unicast source reachable-via any allow-default allow-self-ping
Er, the Juniper equivalent is (imho) better.
Essentially:
interfaces {
* {
family inet(6) {
rpf-check;
}
}
}
Is enough to have strict mode RPF. To get loose mode which is in your
Cisco config you just add "mode loose" to the rpf command.
But all that does is verify the IP exists in the routing table, largely
useless, as anything which would hit the filter would be dropped anyway.
What *does* work even for multihomed sites is the "feasible path"
option, which allows traffic to come from non-optimal paths, as long as
that path advertises a route to the source.
That's a global setting:
routing-options {
forwarding-table {
unicast-reverse-path feasible-paths;
}
}
More information about the AusNOG
mailing list