uPRF strict more
Blake Hudson
blake at ispn.net
Wed Sep 29 14:21:26 UTC 2021
As an eyeball network operator (Cable, DSL, Fiber) we use uRPF strict
mode on customer facing ports on the BRAS gear. Our access gear also
tends to include source address verification via DHCP snooping (as well
as limits on the number of DHCP leases and/or MAC addresses each
customer is allowed) so there are a couple layers of protection.
I do not use uRPF on upstream/transit/IX links or with multi-homed
customers - or anywhere else where traffic could be asymmetrical; I
prefer to use stateless ACLs at these locations.
On 9/28/2021 8:06 PM, Amir Herzberg wrote:
> Randy, great question. I'm teaching that it's very rarely, if ever,
> used (due to high potential for benign loss); it's always great to be
> either confirmed or corrected...
>
> So if anyone replies just to Randy - pls cc me too (or, Randy, if you
> could sum up and send to list or me - thanks!)
>
> Amir
> --
> Amir Herzberg
>
> Comcast professor of Security Innovations, Computer Science and
> Engineering, University of Connecticut
> Homepage: https://sites.google.com/site/amirherzberg/home
> <https://sites.google.com/site/amirherzberg/home>
> `Applied Introduction to Cryptography' textbook and
> lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook
> <https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
>
>
>
>
> On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy at psg.com
> <mailto:randy at psg.com>> wrote:
>
> do folk use uPRF strict mode? i always worried about the multi-homed
> customer sending packets out the other way which loop back to me; see
> RFC 8704 §2.2
>
> do vendors implement the complexity of 8704; and, if so, do operators
> use it?
>
> clue bat please
>
> randy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210929/de8c2afc/attachment.html>
More information about the NANOG
mailing list