From owner-freebsd-isp@FreeBSD.ORG  Thu Oct  2 20:45:52 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 92F4A16A4B3
	for <freebsd-isp@freebsd.org>; Thu,  2 Oct 2003 20:45:52 -0700 (PDT)
Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com
	[65.124.16.8])	by mx1.FreeBSD.org (Postfix) with ESMTP id EE25843FDD
	for <freebsd-isp@freebsd.org>; Thu,  2 Oct 2003 20:45:51 -0700 (PDT)
	(envelope-from haesu@mx01.bos.ma.towardex.com)
Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid
	1001)	id A111F2F911; Thu,  2 Oct 2003 23:46:11 -0400 (EDT)
Date: Thu, 2 Oct 2003 23:46:11 -0400
From: Haesu <haesu@towardex.com>
To: freebsd-isp@freebsd.org
Message-ID: <20031003034611.GA59149@scylla.towardex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Subject: uRPF on FreeBSD
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2003 03:45:52 -0000

Is there any reverse-path verification feature in FreeBSD kernel?

reverse-path verification as in uRPF (unicast reverse path filtering) widely
used for anti-ip-spoofing.

If it is supported, then does FreeBSD's uPRF implementation also allow loose
and strict check like on Cisco?  

Also... one last question that goes with this..
If uRPF feature is in FreeBSD, and if I route a prefix to ds0 (discard/null
interface "pseudo-device disc"), and a packet originates with source of a route
that is forwarded to ds0, would that invoke a verification drop? On Cisco, if
an origin packet has a source ip that's routed to Null0 or does not exist in
routing table (this is under loose check), then it would cause a verification
drop..

Thanks!
-hc

-- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu@towardex.com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 170
Fax: (978)263-0033      | POC: HAESU-ARIN