who is using RPF on peers?

• Previous message (by thread): disa.mil or dla.mil contacts?
• Next message (by thread): who is using RPF on peers?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Almost a month ago, certain nets of ours (AS10368) lost connectivity to a
major provider. The problem was tracked down to the major provider having
enabled RPF, or "ip verify unicast reverse-path" in IOS-speak, on one of their
private peers with one of our upstreams to whom we don't announce those nets.

At the time, I decided not to post a warning to nanog as it appeared to be a
mistake and an isolated case.

Apparently, the same major provider had/has RPF enabled on other peering
interfaces also and one more instances were tracked down in the last 24 hours.

Enabling RPF on the "backbone" is not a good idea as long as path-asymmetry
exists -- unless you are trying to send a message to an unresponsive peer who
is sending you source-spoofed packets.

Please take this as an appeal to double-check your use of RPF and restrict it
to the "edges" of your network.

Thanks,
Adi

• Previous message (by thread): disa.mil or dla.mil contacts?
• Next message (by thread): who is using RPF on peers?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]