nanog mailing list archives
unicast RPF for peers viable?
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sun, 5 May 2002 12:10:36 +0200 (CEST)
On Sun, 5 May 2002, Christopher L. Morrow wrote:
I was hoping someone else might mention this, BUT what about the case of customers providing transit for outbound but not inbound traffic for their customers? We have many, many cases of customers that are 'default routing' for their customers that get inbound traffic down alternate customers or peers or wherever... uRPF seems like a not so good solution for these instances :( especially since some of these are our worst abusers :(
This dilemma has far reaching repercussions: If _you_ allow this and forego the unicast RPF check for these customers, this means your peers can't do uRPF towards you without breaking connectivity for these customers. In a perfect world, there would be no need to do uRPF on peering interfaces, because peers make sure they don't send packets with spoofed source addresses. Unfortunately, in the real world many networks STILL don't bother and thereby allow hard to trace and filter DDoS attacks to be launched from inside their networks. So what is the collective wisdom on the NANOG list? Is uRPF on peering interfaces a viable option and if it breaks esoteric customer configurations, too bad; or is it something that should be discouraged because it breaks legitimate customer needs? If you feel strongly one way or the other, but don't want to join the discussion, please reply with a "yes to peering uRPF" or "no to peering uRPF" in private email, and I'll summerize to the list. Iljitsch van Beijnum
Current thread:
- Re: /31 mask address, (continued)
- Re: /31 mask address Robert E. Seastrom (May 03)
- Re: /31 mask address Manolo Hernandez (May 03)
- Re: /31 mask address Andre Chapuis (May 03)
- Re: /31 mask address JAKO Andras (May 06)
- Re: /31 mask address Simon Lockhart (May 06)
- Re: /31 mask address Miguel Mata-Cardona (May 03)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 04)
- Re: Effective ways to deal with DDoS attacks? Christopher L. Morrow (May 04)
- Re: Effective ways to deal with DDoS attacks? Iljitsch van Beijnum (May 05)
- RE: Effective ways to deal with DDoS attacks? Barry Raveendran Greene (May 05)
- unicast RPF for peers viable? Iljitsch van Beijnum (May 05)
- Re: unicast RPF for peers viable? Richard A Steenbergen (May 05)
- RE: unicast RPF for peers viable? Barry Raveendran Greene (May 05)
- uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Livio Ricciulli (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: uRPF Loose Check Mode vs. ACL Valdis . Kletnieks (May 05)
- Re: uRPF Loose Check Mode vs. ACL Richard A Steenbergen (May 05)
- Re: unicast RPF for peers viable? Stephen Griffin (May 05)
- Re: Effective ways to deal with DDoS attacks? Stephen Griffin (May 05)