saku at ytti.fi
Thu Aug 17 13:27:21 UTC 2017
On 17 August 2017 at 16:11, William Herrin <bill at herrin.us> wrote:
> Doesn't loose mode URPF allow packets from anything that exists in the
> routing table regardless of source? Seems just about worthless. You're
> allowing the site to spoof anything in the routing table which is NOT
Correct. uRPF/loose is pretty undesirable, what you get for the
premium you pay, it's rarely justifiable.
> Strict mode URPF down paths guaranteed to be single-homed. Manually
> configure allowed sources and announcements for BGP-talking customers.
JunOS offers 'strict feasible', which would allow packet if there is
some route pointing to that interface, not necessarily best.
But even that would not be well received by customers, some do TE by
omitting advertising prefix out, yet send traffic out without any
specific policy, so you may receive traffic from prefix they are
allowed to advertise but they do not.
I've previously used in JunOS same prefix-list for BGP and firewall
filter with good success, but unfortunately sometimes even telling
what prefixes might be behind specific BGP session/interface is not
More information about the NANOG