As an eyeball network operator (Cable, DSL, Fiber) we use uRPF strict
mode on customer facing ports on the BRAS gear. Our access gear also
tends to include source address verification via DHCP snooping (as well
as limits on the number of DHCP leases and/or MAC addresses each
customer is allowed) so there are a couple layers of protection.
I do not use uRPF on upstream/transit/IX links or with multi-homed
customers - or anywhere else where traffic could be asymmetrical; I
prefer to use stateless ACLs at these locations.
On 9/28/2021 8:06 PM, Amir Herzberg wrote:
Randy, great question. I'm teaching that it's very rarely, if ever,
used (due to high potential for benign loss); it's always great to be
either confirmed or corrected...
So if anyone replies just to Randy - pls cc me too (or, Randy, if you
could sum up and send to list or me - thanks!)
Amir
--
Amir Herzberg
Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
<https://sites.google.com/site/amirherzberg/home>
`Applied Introduction to Cryptography' textbook and
lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook
<https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <[email protected]
<mailto:[email protected]>> wrote:
do folk use uPRF strict mode? i always worried about the multi-homed
customer sending packets out the other way which loop back to me; see
RFC 8704 §2.2
do vendors implement the complexity of 8704; and, if so, do operators
use it?
clue bat please
randy
