Hi Gert, On Mon, 25 Jul 2011, Gert Doering wrote:
On Mon, Jul 25, 2011 at 11:37:05AM +0200, Sander Steffann wrote:
5) ?
Adapt uRPF so that it does't filter ICMP error messages. Whether this is useful depends on how much ICMP error messages with unreachable source addresses we expect to see? When people/organizations start to use ULA addresses it might be more than we see now.
Indeed this sounds like a good "option #5".
Christian, can your gear do IPv6-uRPF-with-permit-ACLs in Hardware?
(My gear can only do IPv6-uRPF in software, no matter what options I use, so we currently filter by ACL)
both Juniper MX960 and Cisco CRS-1 are able to do IPv6 uRPF incl. permit ACL (Cisco) and fail-filter (Juniper) in hardware so we would like to use it as for IPv4. Regards, Chris