[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: PF: antispoof vs URPF
From:       Claudio Jeker <cjeker () diehard ! n-r-g ! com>
Date:       2010-03-31 18:01:28
Message-ID: 20100331180128.GB2019 () diehard ! n-r-g ! com
[Download RAW message or body]

On Wed, Mar 31, 2010 at 08:08:01PM +0300, Eugene Yunak wrote:
> On 31 March 2010 19:27, N. Arley Dealey <arley.dealey@gmail.com> wrote:
> > It would appear to me that antispoof and URPF achieve similar results. Is
> > there a reason to prefer one over the other?
> 
> Not at all. antispoof blocks ip packets that came in from the wrong
> interface, while URPF blocks packets from "aliens" (no entry in
> routing table for the source address). Just look at the output of
> pfctl -sr
> 

Not at all. URPF does not only check if a route exists it also checks that
the route is pointing to the interface the packet came in.

Antispoof is only for the LAN while URPF is actually capable of tracking
stuff further down. This is at the same time the problem of URPF if you
have asymetric routing URPF fails. Antispoof works in this case since it
is hard to get asymetric routing on the LAN.

-- 
:wq Claudio

[prev in list] [next in list] [prev in thread] [next in thread]