On 8/28/14 10:56 AM, Eric Vyncke (evyncke) wrote:
Hi Enno,
Regarding a 3GPP phone, AFAIK, it receives a /64 so it is scalable and
easy to enforce uRPF at the very first layer-3 routers. Same for a home
CPE (with a very minor impact, uRPF has same performance as plain
forwarding == same lookup technique) and anyway the BNG/BRAS does DHCP-PD
snooping and should do uRPF as well. Pretty much like in IPv4.
But, we may indeed suspect that uRPF on a longer prefix such as /96 (??)
could be as efficient as forwarding to a /96 which is rumored to be less
efficient than forwarding to a prefix shorter than 64. Just a wild guess
(and please do not assume some magical knowledge of mine based on my email
address)
We have been told by Cisco that things like uRPF aren't likely to be
tested/optimized. Folks forget it in the hardware design phase and
then it's too late. There is no cultural habit to think about
security first. CSCuq42336 is a clear example of security not even
being thought of.
- Jared
