[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration
Roland Dobbins
rdobbins at arbor.net
Mon Feb 29 18:56:29 EST 2016
On 29 Feb 2016, at 14:47, Mark Smith wrote:
> RPF is basically an automated form of ingress source address ACLs, so
> anything that can do those can enforce source address validation -
> which
> would include going back at least as far back as AGS+.
It is much more complex and nuanced than this.
I understand quite intimately how uRPF works with regards to Cisco
implementations and the various options thereof. I'm also quite aware
of its limitations and of topological scenarios where it doesn't apply.
I recommend uRPF where and when it is appropriate.
tACLs can indeed be used for source-address validation, and I recommend
them, when/where appropriate. Note that tACL management on a network of
any size is challenging.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the AusNOG
mailing list