[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

Roland Dobbins rdobbins at arbor.net
Mon Feb 29 18:56:29 EST 2016


On 29 Feb 2016, at 14:47, Mark Smith wrote:

> RPF is basically an automated form of ingress source address ACLs, so
> anything that can do those can enforce source address validation - 
> which
> would include going back at least as far back as AGS+.

It is much more complex and nuanced than this.

I understand quite intimately how uRPF works with regards to Cisco 
implementations and the various options thereof.  I'm also quite aware 
of its limitations and of topological scenarios where it doesn't apply.  
I recommend uRPF where and when it is appropriate.

tACLs can indeed be used for source-address validation, and I recommend 
them, when/where appropriate.  Note that tACL management on a network of 
any size is challenging.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the AusNOG mailing list