[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

Mark Smith markzzzsmith at gmail.com
Mon Feb 29 19:40:44 EST 2016


On 29 Feb 2016 6:57 PM, "Roland Dobbins" <rdobbins at arbor.net> wrote:
>
> On 29 Feb 2016, at 14:47, Mark Smith wrote:
>
>> RPF is basically an automated form of ingress source address ACLs, so
>> anything that can do those can enforce source address validation - which
>> would include going back at least as far back as AGS+.
>
>
> It is much more complex and nuanced than this.
>

It can be, but that doesn't mean if your router doesn't support it there is
nothing you can do.

Perfect is the enemy of good.

> I understand quite intimately how uRPF works with regards to Cisco
implementations and the various options thereof.  I'm also quite aware of
its limitations and of topological scenarios where it doesn't apply.  I
recommend uRPF where and when it is appropriate.
>
> tACLs can indeed be used for source-address validation, and I recommend
them, when/where appropriate.  Note that tACL management on a network of
any size is challenging.

That network had about 500 routers if I recall correctly.

> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/5aaf7b76/attachment.html>


More information about the AusNOG mailing list