Re: urpf - evil?

[Martijn Schmidt via NANOG <nanog () nanog org>]

Hi Baldur,

You are at risk of facilitating spoofed and/or reflection DDoS attacks if you don't implement BCP38.. that's why uRPF 
exists. :)

Best regards,
Martijn
________________________________
From: NANOG <nanog-bounces+martijnschmidt=i3d.net () nanog org> on behalf of Baldur Norddahl <baldur.norddahl () gmail 
com>
Sent: 30 October 2020 20:29
To: nanog () nanog org <nanog () nanog org>
Subject: urpf - evil?

Hello

While working on my ACLs I noticed that I was successful in blocking some apparently spoofed IPv6 traffic. The 
destination was Facebook and the source was IPv6 range belonging to a mobile operator that sells 4G Wifi router based 
solutions.

So thinking about how and why a few customers end up sending packets to our network with the wrong source, I came up 
with a theory (not validated): What if the customer connects his 4G Wifi router to one of the LAN ports of our CPE (or 
visa versa)? His computer would then pick up an IPv6 range from both ISPs along with two default routes. But only one 
default route would be used, and in this case that was apparently the default route going to our network. But still his 
computer might use the IPv6 address from the other ISP as source and therefore he ends up "spoofing" by sending that to 
us. We deliver the packets to Facebook and I assume Facebook will route the replies just fine through the other ISP.

Now the thing is that my impression is that it actually works so long I do not actively block it with uRPF or ACLs on 
our edge. I have learned that spoofing is evil and I should be blocking this - but why am I sabotaging something that 
apparently is doing just fine at some customers?

Regards,

Baldur