nanog mailing list archives

Re: [External] Re: uPRF strict more

From: Sabri Berisha <sabri () cluecentral net>
Date: Thu, 30 Sep 2021 10:27:47 -0700 (PDT)

----- On Sep 30, 2021, at 9:13 AM, Andrew Smith andrew.william.smith () gmail com wrote:

Hi,

In Ciscoland, you do have to explicitly state that the default route is eligible
for URPF verification, otherwise you'll get unexpected traffic drops.

ip verify unicast source reachable-via any allow-default


Customer: We need a way to prevent spoofing.
Dev: Sure, I created a new feature: "ip verify unicast"
Customer: We're dropping legitimate traffic!
Dev: Oops, sorry about that. Here, a new feature: "ip verify unicast source reachable-via any"
Customer: But but but, we don't have a full BGP table!
Dev: Oh well... <clickety-click> "ip very unicast source reachable via any allow-default"

Thanks,

Sabri

Current thread:

Re: uPRF strict more, (continued)
- - - Re: uPRF strict more Anoop Ghanwani (Sep 29)
    - Re: uPRF strict more Mark Tinka (Sep 29)
    - Re: uPRF strict more Baldur Norddahl (Sep 29)
    - Re: uPRF strict more brad dreisbach (Sep 29)
    - Re: uPRF strict more Mark Tinka (Sep 29)
    - Re: [External] Re: uPRF strict more Hunter Fuller via NANOG (Sep 30)
    - Re: [External] Re: uPRF strict more Mark Tinka (Sep 30)
    - Re: [External] Re: uPRF strict more Valdis Klētnieks (Sep 30)
    - Re: [External] Re: uPRF strict more Mark Tinka (Sep 30)
    - Re: [External] Re: uPRF strict more Andrew Smith (Sep 30)
    - Re: [External] Re: uPRF strict more Sabri Berisha (Sep 30)
    - Re: [External] Re: uPRF strict more Saku Ytti (Sep 30)
    - RE: [External] Re: uPRF strict more Brian Turnbow via NANOG (Sep 30)
    - Re: uPRF strict more Mark Tinka (Sep 29)
- Re: uPRF strict more Mark Tinka (Sep 29)
- Re: uPRF strict more John Kristoff (Sep 29)