Re: Source Address Verification
On Fri, Mar 22, 2002 at 06:34:19PM +0100, Bernd Eckenfels wrote:
> On Fri, Mar 22, 2002 at 02:11:52PM +0100, Christian Bailleul wrote:
> > Can anybody explain me what exactly Source Address Verification does. I know
> > how to set it up and what the purpose is, but how does it actually work ?
> Do you mean "back route verify"? In this case it is a simple check: a packet
> with a given ip address can only arrive o a given interface, if the network
> which originated that package is listed to be reachable over the interface.
> Trivial case:
> if you receive a packet from 10.0.0.1 on eth1 (internet) the router will
> look in it's routing table and find, that 10.0.0.x is connected to eth0
> (LAN). In this case he will not process the packet from 10.0.0.1 since he
> can be quite shure, that someone on the internat tries to spoof this packet,
> cause he does not sit on the lan. This is automatic ingress filtering and
> only works in static route situations.
Why only in static route situation ? Would dynamic routes learned by a routing protocol make
any differences ? is rp_filter look at the route cache or does a lookup each time?
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
-> Jean-Francois Dive