On Thu, 2002-11-28 at 10:22, Kurt Erik Lindqvist wrote:
> > Unfortunately, no, there are no simple solutions. Most measures you can
> > make mainly protect others from mishaps in your network -- which of
> > course
> > should not stop you from doin. Obvious short list would probably be:
> there is a very simple start. Enable strict RPF on all you routers....
...or not so simple.
While this is probably just rehashing a myriad of old NANOG threads,
strict RPF can't be applied everywhere. Someplaces you will have to
settle for loose RPF or just manual filters. And the reason I even
bother bringing this up is that I have a few real-life scenarios of this
that we have experienced here, not just hypothetical problems. Customers
unfortunately have a nasty habit of doing Real Strange Stuff(tm).
Then there is of course the br0ken Cisco-junk out there, like the 6500's
with their 122.000 FIB limit when uRPF is enabled, that is also
preventing deployment of RPF. 6500/7600 is quite popular among a lot of
ISP's here in Norway at least, and is probably a bigger showstopper for
uRPF than certain GSR linecards having some issues and minor things like