> install this on all your internal, upstream, downstream
> interfaces (cisco router) [cef required]:
>
> "ip verify unicast source reachable-via any"
>
> This will drop all packets on the interface that do not
> have a way to return them in your routing table.
Of course, this is the IP RIB and may not include all the
potential paths in the BGP Adj-RIBs-In, right? As such,
you've still got the potential for asymmetric routing to
break things.
> Juniper has a somewhat viable solution to the 100% source
> validation for bgp customers. they will consider non-best
> paths in their unicast-rpf check on the customer interface. This
> means that even if 35.0.0.0/8 is best returned via your
> peer instead of via the provider the packet came in, but they
> are advertizing the prefix to you, you will not drop the packet.
What's a "bgp customer"? Can they support 500K+ uRPF entries here?
-danny