Yeah, but loose mode is inherently useless on any router carrying full tables. (Ok, it can spot bogons, but that's a side effect and I have other ways to catch those.) Point being that MANRS implementation in the "simple" case is (or, at least, CAN be) almost trivially easy, but in the "complex" case is quite difficult - I'm still not even sure I know how to do it 100% correctly with multi-homed downstreams clients. "Just turn on RPF" is starting to feel more like an article of faith rather than genuine technical guidance. :-( -Adam
Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Brian Johnson <brian.john...@netgeek.us> Sent: Friday, October 1, 2021 8:31:15 AM To: Adam Thompson <athomp...@merlin.mb.ca> Cc: Amir Herzberg <amir.li...@gmail.com>; Randy Bush <ra...@psg.com>; North American Network Operators' Group <nanog@nanog.org> Subject: Re: uPRF strict more For strict-mode... Completely agree. As has been previously said, this is a tool that all players involved need to understand. This is no different than everyone correctly using BGP in their application for their outcomes. On Sep 29, 2021, at 12:07 PM, Adam Thompson <athomp...@merlin.mb.ca<mailto:athomp...@merlin.mb.ca>> wrote: We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm also connected to. Customer advertised a longer-prefix to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine. Well... yeah, that can happen (semi-legitimately) anytime you have a topological triangle in peering. I've concluded over the last 2 years that uRPF is only useful on interfaces pointing directly at non-multi-homed customers, and actively dangerous anywhere else. -Adam Adam Thompson Consultant, Infrastructure Services [1593169877849] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athomp...@merlin.mb.ca<mailto:athomp...@merlin.mb.ca> www.merlin.mb.ca<http://www.merlin.mb.ca/> ________________________________ From: NANOG <nanog-bounces+athompson=merlin.mb...@nanog.org<mailto:nanog-bounces+athompson=merlin.mb...@nanog.org>> on behalf of Amir Herzberg <amir.li...@gmail.com<mailto:amir.li...@gmail.com>> Sent: September 28, 2021 20:06 To: Randy Bush <ra...@psg.com<mailto:ra...@psg.com>> Cc: North American Network Operators' Group <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: uPRF strict more Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected... So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!) Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook<https://sites.google.com/site/amirherzberg/applied-crypto-textbook> On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <ra...@psg.com<mailto:ra...@psg.com>> wrote: do folk use uPRF strict mode? i always worried about the multi-homed customer sending packets out the other way which loop back to me; see RFC 8704 §2.2 do vendors implement the complexity of 8704; and, if so, do operators use it? clue bat please randy
