nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ingress filtering on transits, peers, and IX ports

From: Jared Mauch <jared () puck nether net>
Date: Wed, 14 Oct 2020 13:29:46 -0400
On Tue, Oct 13, 2020 at 05:49:42PM -0500, Brian Knight via NANOG wrote:

Hi Mel, 

My understanding of uRPF is: 

* Strict mode will permit a packet only if there is a route for the
source IP in the RIB, and that route points to the interface where the
packet was received 

* Loose mode will permit a packet if there is a route for the source IP
in the RIB.  It does not matter where the route is pointed. 

Strict mode won't work for us, because with our multi-homed transits and
IX peers, we will almost certainly drop a legitimate packet because the
best route is through another transit. 

Loose mode won't work for us, because all of our own prefixes are in our
RIB, and thus the uRPF check on a transit would never block anything. 


        You'll be surprised at the garbage you would drop that you can't return.

        - Jared
Previous By Date Next
Previous By Thread Next

Current thread: