uPRF strict more

• Previous message (by thread): [External] Re: uPRF strict more
• Next message (by thread): uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/29/21 19:07, Adam Thompson wrote:

> We just ran into a typical case where uRPF caused a partial outage for 
> one of my customers: the customer is multi-homed, with another 
> provider that I'm *also*​ connected to.  Customer advertised a 
> longer-prefix to the other guy, so I started sending traffic destined 
> for Customer to the Other Provider... who then promptly dropped it 
> because they had uRPF enabled on the peering link, and they were 
> seeing random source IPs that weren't mine. Well... yeah, that can 
> happen (semi-legitimately) anytime you have a topological triangle in 
> peering.
>
> I've concluded over the last 2 years that uRPF is *only*​ useful on 
> interfaces pointing directly at non-multi-homed customers, and 
> *actively dangerous *anywhere else.

That's not exactly true, unless that other provider is not carrying a 
full table on the device your traffic toward your customer was transiting.

Generally, we only run uRPF on boxes that carry a fully BGP table. The 
lack of a full table, even with loose-mode uRPF, will lead to blackholing.

Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210930/0fe1b440/attachment.html>

• Previous message (by thread): [External] Re: uPRF strict more
• Next message (by thread): uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]