Re: ip verify unicast reverse-path from Tom Kacprzynski on 2012-02-08 (Ccielab archives 02/2012)

From: Tom Kacprzynski <tom.kac_at_gmail.com>
Date: Wed, 8 Feb 2012 10:34:40 -0600

Yeah that would not make sense to use a default route. Loose mode is also
used when you have asymmetric routing to give you little bit of protection
instead of using strict mode which would fail all forwarding.

I thought this was also interesting "Additionally, a packet that contains a
source address for which the return route points to the Null 0 interface
will be dropped. "
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

On Tue, Feb 7, 2012 at 10:35 PM, Vincent Tay <vtay.75_at_gmail.com> wrote:

> Ok. So can I conclude that if the ISP is running default route, it will not
> make sense to use ip verify unicast reverse path allow default meaning
> loose
> mode.
>
> Vincent Tay
>
> On 8 Feb, 2012, at 11:23 AM, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
>
> > Vincent,
> > On the ISP size a loose mode might be used to preventing RFC1918 IP
> addressing as those should not be included in the global routing table or
> any
> addressing not yet assigned. These days that's not a very large number of
> unassigned subnets for IPv4, but in the past that could be useful. On the
> enterprise side if you don't have the global routing table, you might
> prevent
> spoofing of addresses that are not in your routing domain, basically loose
> mode will not forward packets based on the availability of that source's
> network in the routing table. If an enterprise is using a 10.0.0.0/8
> addressing while a worm is trying to spoof packets with someone else's
> public
> address that should be blocked by loose mode as those public network most
> likely won't be present in the routing table and only matched by a a
> default
> route.
> >
> > Hope that make things little clearer.
> >
> > Tom Kacprzynski
> >
> >
> > On Tue, Feb 7, 2012 at 7:59 PM, Vincent Tay <vtay.75_at_gmail.com> wrote:
> > Hi all,
> > I m wondering how loose mode help in detecting spoof packets.
> > Can anyone share?
> > Vincent Tay
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Feb 08 2012 - 10:34:40 ART

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART