[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Source Address Verification

On Fri, Mar 22, 2002 at 06:34:19PM +0100, Bernd Eckenfels wrote:
> On Fri, Mar 22, 2002 at 02:11:52PM +0100, Christian Bailleul wrote:
> > Can anybody explain me what exactly Source Address Verification does.  I know 
> > how to set it up and what the purpose is, but how does it actually work ?
> Do you mean "back route verify"? In this case it is a simple check: a packet
> with a given ip address can only arrive o a given interface, if the network
> which originated that package is listed to be reachable over the interface.
> Trivial case:
> if you receive a packet from on eth1 (internet) the router will
> look in it's routing table and find, that 10.0.0.x is connected to eth0
> (LAN). In this case he will not process the packet from since he
> can be quite shure, that someone on the internat tries to spoof this packet,
> cause he does not sit on the lan. This is automatic ingress filtering and
> only works in static route situations.
Why only in static route situation ? Would dynamic routes learned by a routing protocol make
any differences ? is rp_filter look at the route cache or does a lookup each time?

> Greetings
> Bernd
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-> Jean-Francois Dive
--> jef@linuxbe.org

Reply to: