Re: uPRF strict more

[Blake Hudson <blake () ispn net>]

As an eyeball network operator (Cable, DSL, Fiber) we use uRPF strict 
mode on customer facing ports on the BRAS gear. Our access gear also 
tends to include source address verification via DHCP snooping (as well 
as limits on the number of DHCP leases and/or MAC addresses each 
customer is allowed) so there are a couple layers of protection.

I do not use uRPF on upstream/transit/IX links or with multi-homed 
customers - or anywhere else where traffic could be asymmetrical; I 
prefer to use stateless ACLs at these locations.



On 9/28/2021 8:06 PM, Amir Herzberg wrote:
> Randy, great question. I'm teaching that it's very rarely, if ever, 
> used (due to high potential for benign loss); it's always great to be 
> either confirmed or corrected...
>
> So if anyone replies just to Randy - pls cc me too (or, Randy, if you 
> could sum up and send to list or me - thanks!)
>
> Amir
> --
> Amir Herzberg
>
> Comcast professor of Security Innovations, Computer Science and 
> Engineering, University of Connecticut
> Homepage: https://sites.google.com/site/amirherzberg/home 
> <https://sites.google.com/site/amirherzberg/home>
> `Applied Introduction to Cryptography' textbook and 
> lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook 
> <https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
>
>
>
>
> On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy () psg com 
> <mailto:randy () psg com>> wrote:
>
>     do folk use uPRF strict mode?  i always worried about the multi-homed
>     customer sending packets out the other way which loop back to me;  see
>     RFC 8704 §2.2
>
>     do vendors implement the complexity of 8704; and, if so, do operators
>     use it?
>
>     clue bat please
>
>     randy