On Fri, Mar 22, 2002 at 06:34:19PM +0100, Bernd Eckenfels wrote: > On Fri, Mar 22, 2002 at 02:11:52PM +0100, Christian Bailleul wrote: > > Can anybody explain me what exactly Source Address Verification does. I > > know > > how to set it up and what the purpose is, but how does it actually work ? > > Do you mean "back route verify"? In this case it is a simple check: a packet > with a given ip address can only arrive o a given interface, if the network > which originated that package is listed to be reachable over the interface. > Trivial case: > > if you receive a packet from 10.0.0.1 on eth1 (internet) the router will > look in it's routing table and find, that 10.0.0.x is connected to eth0 > (LAN). In this case he will not process the packet from 10.0.0.1 since he > can be quite shure, that someone on the internat tries to spoof this packet, > cause he does not sit on the lan. This is automatic ingress filtering and > only works in static route situations. > Why only in static route situation ? Would dynamic routes learned by a routing protocol make any differences ? is rp_filter look at the route cache or does a lookup each time?
> Greetings > Bernd > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -> Jean-Francois Dive --> [EMAIL PROTECTED]
