Re: Todd Underwood was a little late

[William Herrin <bill () herrin us>]

On Fri, Jun 18, 2010 at 9:21 AM, Steve Bertrand <steve () ipv6canada com> wrote:
> On 2010.06.18 09:06, William Herrin wrote:
> > On Fri, Jun 18, 2010 at 8:37 AM, Steve Bertrand <steve () ipv6canada com> wrote:
>
> > I'm not sure what that accomplishes. It doesn't close any doors. With
> > loose-mode RPF he can still forge packets from any address actually in
> > use.
>
> What it does, is prevents packets with the illegal IP address from
> actually being delivered to the intended destination within your network
> preserving some (perhaps a very small amount) of bandwidth/router resources.

Right, but to save that fractional bit of bandwidth you pay for an
extra TCAM or radix tree hit impacting every single packet entering
your system on your very expensive upstream border routers -- a
significant reduction in your hardware's capacity.

I get strict RPF - if you can guarantee symmetric routing (which you
often can in single-homed scenarios) it offers a meaningful
improvement in your network's security without configuration
management challenges at the cost of extra processing. But the
cost/benefit to loose RPF doesn't seem to come close to adding up in
any scenario that occurs to me.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004