Hello,
implementing BCP38 for IPv4 on Linux is very easy, just flip the switch in "/proc/sys/net/ipv4/conf/*/rp_filter". Unforunately this is, to my knowledge, not possible for IPv6. The only solution I could find is the "rpfilter" extension for ip(6)tables.[2]
My use case is for a debian x86 router which is CPU wise underpowered. I'm not doing any firewalling till now, hopeing as long as it doesn't have to do connection tracking and looking at anything above Layer 3 as much hardware offloading as possible is done via the NIC (mellanox connectX-3).
My questions now are:
-
Is there any other way to achieve BCP38 for IPv6 on linux (apart from individual firewall rules :) )?
-
Using iptables rpfilter is in the RAW table, so no connection tracking is done. will enabling this have a great impact on the CPU usage?
-
Would there be any difference (especially in regards to cpu load and therefore throughput) between implementing reverse path filter for IPv4 via "/proc/sys/net/ipv4/conf/*/rp_filter" vs. "iptables -t raw -A RPFILTER -m rpfilter --invert -j DROP"?
Thanks for your help!
No comments:
Post a Comment