nanog mailing list archives
Re: uPRF strict more
From: brad dreisbach <bradd () us ntt net>
Date: Wed, 29 Sep 2021 14:35:16 -0400
On Wed, Sep 29, 2021 at 06:14:21PM +0000, Phil Bedard wrote:
Disclosure I work for Cisco and try to look after some of their peering guidelines. Agree with Adam’s statement, use uRPF on edge DIA customers. Using it elsewhere on the network eventually is going to cause some issue and its usefulness today is almost nil. That being said we still see large providers who have it turned on for peering/transit interfaces either out of legacy configuration or other reasons. The vast majority do not use it for those interface roles.
uRPF incurs a quite severe pps penalty on all of the NPUs i've ever tested. we have dabbled with it many times over the years and always eventually end up turning it off(for good this last time, probably). -b
Phil From: NANOG <nanog-bounces+bedard.phil=gmail.com () nanog org> on behalf of Adam Thompson <athompson () merlin mb ca> Date: Wednesday, September 29, 2021 at 1:08 PM To: Amir Herzberg <amir.lists () gmail com>, Randy Bush <randy () psg com> Cc: North American Network Operators' Group <nanog () nanog org> Subject: Re: uPRF strict more We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm also connected to. Customer advertised a longer-prefix to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine. Well... yeah, that can happen (semi-legitimately) anytime you have a topological triangle in peering. I've concluded over the last 2 years that uRPF is only useful on interfaces pointing directly at non-multi-homed customers, and actively dangerous anywhere else. -Adam Adam Thompson Consultant, Infrastructure Services [1593169877849] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson () merlin mb ca<mailto:athompson () merlin mb ca> www.merlin.mb.ca<http://www.merlin.mb.ca/> ________________________________ From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> on behalf of Amir Herzberg <amir.lists () gmail com> Sent: September 28, 2021 20:06 To: Randy Bush <randy () psg com> Cc: North American Network Operators' Group <nanog () nanog org> Subject: Re: uPRF strict more Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected... So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!) Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook<https://sites.google.com/site/amirherzberg/applied-crypto-textbook> On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy () psg com<mailto:randy () psg com>> wrote: do folk use uPRF strict mode? i always worried about the multi-homed customer sending packets out the other way which loop back to me; see RFC 8704 §2.2 do vendors implement the complexity of 8704; and, if so, do operators use it? clue bat please randy
Current thread:
- RE: uPRF strict more, (continued)
- RE: uPRF strict more Brian Turnbow via NANOG (Sep 29)
- Re: uPRF strict more Barry Greene (Sep 29)
- Re: uPRF strict more Mark Tinka (Sep 29)
- Re: uPRF strict more Blake Hudson (Sep 29)
- Re: uPRF strict more Mark Tinka (Sep 29)
- Re: uPRF strict more Blake Hudson (Sep 29)
- Re: uPRF strict more Sabri Berisha (Sep 29)
- Re: uPRF strict more Blake Hudson (Sep 30)
- Re: uPRF strict more Phil Bedard (Sep 29)
- Re: uPRF strict more brad dreisbach (Sep 29)
- RE: uPRF strict more Jean St-Laurent via NANOG (Sep 29)
- Re: uPRF strict more brad dreisbach (Sep 29)
- RE: uPRF strict more Jean St-Laurent via NANOG (Sep 29)
- Message not available
- RE: uPRF strict more Jean St-Laurent via NANOG (Sep 29)