On Mon, 24 Mar 2008, Darrel Lewis (darlewis) wrote:
|> uRPF is one example of an implementation of this type of sanity |> checking. |> You can also do it via ACLs. The concept is the same either way. | |Okay and what was your point? Simply this: if return packets leaving a LISP site, headed for a non-LISP site, use a EID as the source address, then it is highly likely that the packets will be dropped due to the source address filtering.It would pass a lose-mode check since the route is in the table, which is the current best practice for multi-homed networks.
This may depend on the ISP and the size of multi-homed network.In general, I disagree with this categorical statement. Strict uRPF works just fine with multihomed customers. Even when the traffic is asymmetric. See BCP84 and draft-savola-bcp84-urpf-experiences-03.txt for more.
Loose RPF towards a customer is not very useful.A site originating traffic from its non-routable source addresses is akin to Mobile IP designs. Initially they thought it was OK to use the home address to source packets from anywhere but in the end they needed to deploy reverse tunneling. Here, instead of a mobile IP host we have an endsite which may or may not use BGP or some other protocol to advertise some other part of its address space.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg