On Sun, 15 Dec 2019 at 15:01, Victor Sudakov <[email protected]> wrote:
> Igor Podlesny wrote:
> > [...]
> > > to be honest I don't know at top of my head, what is a good/typical
> > > use-case for if-bound state policy. I assume those set-ups must be
> > > rare/special.
> >
> > anti-spoofing.
> >
> > In case one suspects a spoofing attack can be carried out on some "side"
> > network
> > interface(s), leveraging if-bound state option allows to eliminate the
> > threat.
>
> Isn't "antispoof" for that already?
If we're talking about __new__ connections attempts it will work, of course.
But we discussed "states" instead so far.
Also being attentive enough (obviously) you'll find that "antispoof"
__requires__ an interface name to function
("urpf-failed" doesn't but still you'll need to bypass state
look-ups for this to be effective)
meanwhile "if-bound" can be applied independently.
--
End of message. Next message?
