On Thu, Aug 28, 2014 at 04:31:22PM +0200, Enno Rey wrote: > to be honest, as another security person, I'm not really sure about the > benefit of uRPF in the IPv6 world, in some scenarios. > imagine a single infected smartphone on LTE, generating connections with > potentially 2^64 different source addresses from its assigned /64. How > would you counter that with uRPF?
With uRPF in place, you can just block off that /64. Without, the smartphone can fake addresses in the entire 2000::/3 unicast space. That's a pretty obvious win; uRPF didn't in itself prevent the attack, but it made it a lot easier to mitigate it. Also, uRPF makes a large class of traffic amplification attacks impossible, since you can't fake the source address anymore. /* Steinar */ -- Software Engineer, Google Switzerland