uPRF strict more
Mark Tinka
mark at tinka.africa
Thu Sep 30 05:01:35 UTC 2021
On 9/29/21 19:07, Adam Thompson wrote:
> We just ran into a typical case where uRPF caused a partial outage for
> one of my customers: the customer is multi-homed, with another
> provider that I'm *also* connected to. Customer advertised a
> longer-prefix to the other guy, so I started sending traffic destined
> for Customer to the Other Provider... who then promptly dropped it
> because they had uRPF enabled on the peering link, and they were
> seeing random source IPs that weren't mine. Well... yeah, that can
> happen (semi-legitimately) anytime you have a topological triangle in
> peering.
>
> I've concluded over the last 2 years that uRPF is *only* useful on
> interfaces pointing directly at non-multi-homed customers, and
> *actively dangerous *anywhere else.
That's not exactly true, unless that other provider is not carrying a
full table on the device your traffic toward your customer was transiting.
Generally, we only run uRPF on boxes that carry a fully BGP table. The
lack of a full table, even with loose-mode uRPF, will lead to blackholing.
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210930/0fe1b440/attachment.html>
More information about the NANOG
mailing list