From: Paul Zugnoni (paulzugnoni@gmail.com)
Date: Thu May 17 2007 - 12:32:30 ART
Hi Graham,
They both address the same issue, but ip verify unicast reverse-path takes
it 1 step further by verifying that the router has a route to the source
using the same interface on which the packet was received. Here's a scenario
where this may matter:
int s0
ip address 10.1.35.2 255.255.255.252
ip access-group 1 in
int s1
ip address 10.1.244.2 255.255.255.252
ip access-group 1 in
ip route 2.2.2.0 255.255.255.0 10.1.35.1 << Route to 2.2.2.0/24 uses s0
as outbound interface.
access-l 1 permit <your inside IP's> << drops inbound packets with
source IP from inside network ip space
In this example, if a packet sourced from 2.2.2.100 enters s1, it will be
permitted.
However, if we add
ip verify unicast reverse-path
a packet from 2.2.2.100 would get dropped if came in on s1. In essence, ip
verify unicast reverse-path prevents spoofing AND asymmetric routing.
I'll let someone else advise on which would be the "correct" answer for the
lab..... but I'd go with the ACL, since it addresses spoofing w/o impacting
other routing functions.
Cheers,
Paul
On 5/17/07, graham@cisco-engineer.com <graham@cisco-engineer.com> wrote:
>
> With regards to preventing ip spoofing;
>
>
>
> Does the:
>
> ip verify unicast reverse-path
>
> serve the same function as a :
>
> Deny ip <inside ip's> <inside mask> any
>
>
>
> If asked in the lab to prevent spoof attacks on an a subnet from the
> outside, which is the "most correct" method to use or are both perfectly
> valid methods
>
>
> _____
>
> I am using the free version of SPAMfighter for private users.
> It has removed 742 spam emails to date.
> Paying users do not have this message in their emails.
> Try SPAMfighter <http://www.spamfighter.com/len> for free now!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:21 ART