Re: Who does source address validation? (was Re: what's that smell?)

[Danny McPherson <danny () tcb net>]

>       install this on all your internal, upstream, downstream
> interfaces (cisco router) [cef required]:
>
> "ip verify unicast source reachable-via any"
>
>       This will drop all packets on the interface that do not
> have a way to return them in your routing table.

Of course, this is the IP RIB and may not include all the 
potential paths in the BGP Adj-RIBs-In, right?  As such, 
you've still got the potential for asymmetric routing to 
break things.
 
>       Juniper has a somewhat viable solution to the 100% source
> validation for bgp customers.  they will consider non-best
> paths in their unicast-rpf check on the customer interface.  This
> means that even if 35.0.0.0/8 is best returned via your
> peer instead of via the provider the packet came in, but they
> are advertizing the prefix to you, you will not drop the packet.

What's a "bgp customer"?  Can they support 500K+ uRPF entries here?

-danny