Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running with different mode for rp_filter? #338

Open
vsoch opened this issue Sep 24, 2024 · 0 comments
Open

Running with different mode for rp_filter? #338

vsoch opened this issue Sep 24, 2024 · 0 comments

Comments

@vsoch
Copy link
Contributor

vsoch commented Sep 24, 2024

It looks like rp_filter is required to be 2:

rp_filter - INTEGER
    0 - No source validation.
    1 - Strict mode as defined in RFC3704 Strict Reverse Path
        Each incoming packet is tested against the FIB and if the interface
        is not the best reverse path the packet check will fail.
        By default failed packets are discarded.
    2 - Loose mode as defined in RFC3704 Loose Reverse Path
        Each incoming packet's source address is also tested against the FIB
        and if the source address is not reachable via any interface
        the packet check will fail.

@AkihiroSuda is there any means to run with 0, and if not, is there some scoped way we could set this for usernetes and make a solid argument to prevent ip spoofing? I learned from one of our admins that current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. So if that's the only way, I'd need a solid argument for how it could be OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant