nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: uPRF strict more

From: Brian Johnson <brian.johnson () netgeek us>
Date: Fri, 1 Oct 2021 08:31:15 -0500
For strict-mode... Completely agree.

As has been previously said, this is a tool that all players involved need to understand. This is no different than 
everyone correctly using BGP in their application for their outcomes.


On Sep 29, 2021, at 12:07 PM, Adam Thompson <athompson () merlin mb ca> wrote:

We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is 
multi-homed, with another provider that I'm also​ connected to.  Customer advertised a longer-prefix to the other 
guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because 
they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine.  Well... yeah, 
that can happen (semi-legitimately) anytime you have a topological triangle in peering.

I've concluded over the last 2 years that uRPF is only​ useful on interfaces pointing directly at non-multi-homed 
customers, and actively dangerous anywhere else.

-Adam

Adam Thompson
Consultant, Infrastructure Services

100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athompson () merlin mb ca <mailto:athompson () merlin mb ca>
www.merlin.mb.ca <http://www.merlin.mb.ca/>
From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> on behalf of Amir Herzberg <amir.lists () gmail com>
Sent: September 28, 2021 20:06
To: Randy Bush <randy () psg com>
Cc: North American Network Operators' Group <nanog () nanog org>
Subject: Re: uPRF strict more
 
Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); 
it's always great to be either confirmed or corrected... 

So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)

Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home <https://sites.google.com/site/amirherzberg/home>
`Applied Introduction to Cryptography' textbook and lectures: 
https://sites.google.com/site/amirherzberg/applied-crypto-textbook 
<https://sites.google.com/site/amirherzberg/applied-crypto-textbook>




On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy () psg com <mailto:randy () psg com>> wrote:
do folk use uPRF strict mode?  i always worried about the multi-homed
customer sending packets out the other way which loop back to me;  see
RFC 8704 §2.2

do vendors implement the complexity of 8704; and, if so, do operators
use it?

clue bat please

randy
Previous By Date Next
Previous By Thread Next

Current thread: