On Wed, Sep 29, 2021 at 06:14:21PM +0000, Phil Bedard wrote:
Disclosure I work for Cisco and try to look after some of their peering
guidelines.
Agree with Adam’s statement, use uRPF on edge DIA customers. Using it
elsewhere on the network eventually is going to cause some issue and its
usefulness today is almost nil. That being said we still see large providers
who have it turned on for peering/transit interfaces either out of legacy
configuration or other reasons. The vast majority do not use it for those
interface roles.
uRPF incurs a quite severe pps penalty on all of the NPUs i've ever tested.
we have dabbled with it many times over the years and always eventually
end up turning it off(for good this last time, probably).
-b
Phil
From: NANOG <nanog-bounces+bedard.phil=gmail....@nanog.org> on behalf of Adam
Thompson <athomp...@merlin.mb.ca>
Date: Wednesday, September 29, 2021 at 1:08 PM
To: Amir Herzberg <amir.li...@gmail.com>, Randy Bush <ra...@psg.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Subject: Re: uPRF strict more
We just ran into a typical case where uRPF caused a partial outage for one of
my customers: the customer is multi-homed, with another provider that I'm also
connected to. Customer advertised a longer-prefix to the other guy, so I
started sending traffic destined for Customer to the Other Provider... who then
promptly dropped it because they had uRPF enabled on the peering link, and they
were seeing random source IPs that weren't mine. Well... yeah, that can happen
(semi-legitimately) anytime you have a topological triangle in peering.
I've concluded over the last 2 years that uRPF is only useful on interfaces
pointing directly at non-multi-homed customers, and actively dangerous anywhere
else.
-Adam
Adam Thompson
Consultant, Infrastructure Services
[1593169877849]
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athomp...@merlin.mb.ca<mailto:athomp...@merlin.mb.ca>
www.merlin.mb.ca<http://www.merlin.mb.ca/>
________________________________
From: NANOG <nanog-bounces+athompson=merlin.mb...@nanog.org> on behalf of Amir
Herzberg <amir.li...@gmail.com>
Sent: September 28, 2021 20:06
To: Randy Bush <ra...@psg.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Subject: Re: uPRF strict more
Randy, great question. I'm teaching that it's very rarely, if ever, used (due
to high potential for benign loss); it's always great to be either confirmed or
corrected...
So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum
up and send to list or me - thanks!)
Amir
--
Amir Herzberg
Comcast professor of Security Innovations, Computer Science and Engineering,
University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
https://sites.google.com/site/amirherzberg/applied-crypto-textbook<https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
On Tue, Sep 28, 2021 at 8:50 PM Randy Bush
<ra...@psg.com<mailto:ra...@psg.com>> wrote:
do folk use uPRF strict mode? i always worried about the multi-homed
customer sending packets out the other way which loop back to me; see
RFC 8704 §2.2
do vendors implement the complexity of 8704; and, if so, do operators
use it?
clue bat please
randy
