> On 4 April 2010 18:56, Pete Vickers <pete@systemnet.no> wrote:
>> On 31. mars 2010, at 20.01, Claudio Jeker wrote:
>>
>>> On Wed, Mar 31, 2010 at 08:08:01PM +0300, Eugene Yunak wrote:
>>>> On 31 March 2010 19:27, N. Arley Dealey <arley.dealey@gmail.com> wrote:
>>>>> It would appear to me that antispoof and URPF achieve similar results. Is
>>>>> there a reason to prefer one over the other?
>>>>
>>>> Not at all. antispoof blocks ip packets that came in from the wrong
>>>> interface, while URPF blocks packets from "aliens" (no entry in
>>>> routing table for the source address). Just look at the output of
>>>> pfctl -sr
>>>>
>>>
>>> Not at all. URPF does not only check if a route exists it also checks that
>>> the route is pointing to the interface the packet came in.
>>>
>>> Antispoof is only for the LAN while URPF is actually capable of tracking
>>> stuff further down. This is at the same time the problem of URPF if you
>>> have asymetric routing URPF fails. Antispoof works in this case since it
>>> is hard to get asymetric routing on the LAN.
>>>
>>> --
>>> :wq Claudio
>>>
>>
>>
>> uRPF (at least recent incarnations of it) can be /configured/ to drop packets
>> based of presence of /either/ :
>>
>> - a matching FIB prefix outbound on the same interface the packet arrived on
>> (strict mode)
>> - a matching FIB prefix outbound on any interface (loose mode)
>>
>> you can also mask uRPF effect to only a subset of packets/prefixes with an
>> ACL.
>>
>>
>> pretty extensive explanation here:
>>
>>
http://www.cisco.com/web/about/security/intelligence/urpf.pdf
>>
>
> Do you realise that this is an OpenBSD mailing list, and we are
> discussing OpenBSD's pf implementation of uRPF?
