[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OPSEC] FYI draft-ietf-opsec-blackhole-urpf-04

Another iteration of this draft after last call has been posted.

you many peruse it at your leisure. The diff located here:

http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-opsec-blackhole-urpf-04.txt


shows the changes which are minor for the most part, except for the very
strong disclaimer now in 4.0...

Before enabling uRPF (in any mode), it is vital that you
   fully understand the implications of doing so:

     - Strict mode will cause the router to drop all ingress traffic
       if the best path back to the source address of the traffic is
       not the interface from which the traffic was received.
       Asymetric routing will cause strict mode uRPF to drop
       legitimate traffic.

    - Loose mode causes the router to check if a route for the source
      address of the traffic exists. This may also cause legitimate
      traffic to be discarded.

   It is hoped that in the future, vendors will implement a "DoS-
   mitigation" mode in addition to the Loose and Strict modes -- in this
   mode, the uRPF check will only fail if the next-hop for the source of
   the packet is a discard interface.