Re: uPRF strict more

[brad dreisbach <bradd () us ntt net>]

On Wed, Sep 29, 2021 at 06:14:21PM +0000, Phil Bedard wrote:
> Disclosure I work for Cisco and try to look after some of their peering guidelines.
>
> Agree with Adam’s statement, use uRPF on edge DIA customers.  Using it elsewhere on the network eventually is going to 
> cause some issue and its usefulness today is almost nil.  That being said we still see large providers who have it 
> turned on for peering/transit interfaces either out of legacy configuration or other reasons.  The vast majority do not 
> use it for those interface roles.

uRPF incurs a quite severe pps penalty on all of the NPUs i've ever tested.
we have dabbled with it many times over the years and always eventually
end up turning it off(for good this last time, probably).

-b

> Phil
>
> From: NANOG <nanog-bounces+bedard.phil=gmail.com () nanog org> on behalf of Adam Thompson <athompson () merlin mb ca>
> Date: Wednesday, September 29, 2021 at 1:08 PM
> To: Amir Herzberg <amir.lists () gmail com>, Randy Bush <randy () psg com>
> Cc: North American Network Operators' Group <nanog () nanog org>
> Subject: Re: uPRF strict more
> We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with 
> another provider that I'm also​ connected to.  Customer advertised a longer-prefix to the other guy, so I started sending 
> traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering 
> link, and they were seeing random source IPs that weren't mine.  Well... yeah, that can happen (semi-legitimately) anytime 
> you have a topological triangle in peering.
>
> I've concluded over the last 2 years that uRPF is only​ useful on interfaces pointing directly at non-multi-homed 
> customers, and actively dangerous anywhere else.
>
> -Adam
>
> Adam Thompson
> Consultant, Infrastructure Services
> [1593169877849]
> 100 - 135 Innovation Drive
> Winnipeg, MB, R3T 6A8
> (204) 977-6824 or 1-800-430-6404 (MB only)
> athompson () merlin mb ca<mailto:athompson () merlin mb ca>
> www.merlin.mb.ca<http://www.merlin.mb.ca/>
> ________________________________
> From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> on behalf of Amir Herzberg <amir.lists () gmail com>
> Sent: September 28, 2021 20:06
> To: Randy Bush <randy () psg com>
> Cc: North American Network Operators' Group <nanog () nanog org>
> Subject: Re: uPRF strict more
>
> Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's 
> always great to be either confirmed or corrected...
>
> So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)
>
> Amir
> --
> Amir Herzberg
>
> Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut
> Homepage: https://sites.google.com/site/amirherzberg/home
> `Applied Introduction to Cryptography' textbook and lectures: 
> https://sites.google.com/site/amirherzberg/applied-crypto-textbook<https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
>
>
>
>
> On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy () psg com<mailto:randy () psg com>> wrote:
> do folk use uPRF strict mode?  i always worried about the multi-homed
> customer sending packets out the other way which loop back to me;  see
> RFC 8704 §2.2
>
> do vendors implement the complexity of 8704; and, if so, do operators
> use it?
>
> clue bat please
>
> randy