urpf - evil?

• Previous message (by thread): bgp dampening and anycast networks (particularly cloudflare)
• Next message (by thread): urpf - evil?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello

While working on my ACLs I noticed that I was successful in blocking some
apparently spoofed IPv6 traffic. The destination was Facebook and the
source was IPv6 range belonging to a mobile operator that sells 4G Wifi
router based solutions.

So thinking about how and why a few customers end up sending packets to our
network with the wrong source, I came up with a theory (not validated):
What if the customer connects his 4G Wifi router to one of the LAN ports of
our CPE (or visa versa)? His computer would then pick up an IPv6 range from
both ISPs along with two default routes. But only one default route would
be used, and in this case that was apparently the default route going to
our network. But still his computer might use the IPv6 address from the
other ISP as source and therefore he ends up "spoofing" by sending that to
us. We deliver the packets to Facebook and I assume Facebook will route the
replies just fine through the other ISP.

Now the thing is that my impression is that it actually works so long I do
not actively block it with uRPF or ACLs on our edge. I have learned that
spoofing is evil and I should be blocking this - but why am I sabotaging
something that apparently is doing just fine at some customers?

Regards,

Baldur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201030/bac4dcfd/attachment.html>

• Previous message (by thread): bgp dampening and anycast networks (particularly cloudflare)
• Next message (by thread): urpf - evil?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]