uPRF strict more

brad dreisbach bradd at us.ntt.net
Wed Sep 29 19:32:57 UTC 2021


On Wed, Sep 29, 2021 at 02:54:43PM -0400, Jean St-Laurent wrote:
>Hi Brad,
>
>I'd be interested to hear more about this pps penalty. Do we talk about 5% penalty or something closer to 50%?
>
>Let me know if you still have some numbers close to you related to PPS with uRPF loose.

iirc, strict vs loose doesnt matter, its still an extra lookup which effects
the performance. i was able to find some numbers to give an example.

the 4x100G tomahawk card was able to pass min frame size(which iirc on ixia is
80B) at line rate with no features enabled. turn on uRPF and it is only able to
pass 208B frames at line rate.

similar results were seen with several generations of cisco and juniper
line cards(if i tested nokia i cant recall, we had stopped doing urpf
when they were introduced into the network).

-b


>
>Thanks
>Jean
>
>
>-----Original Message-----
>From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of brad dreisbach
>Sent: September 29, 2021 2:35 PM
>To: Phil Bedard <bedard.phil at gmail.com>
>Cc: North American Network Operators' Group <nanog at nanog.org>
>Subject: Re: uPRF strict more
>
>On Wed, Sep 29, 2021 at 06:14:21PM +0000, Phil Bedard wrote:
>>Disclosure I work for Cisco and try to look after some of their peering guidelines.
>>
>>Agree with Adam’s statement, use uRPF on edge DIA customers.  Using it elsewhere on the network eventually is going to cause some issue and its usefulness today is almost nil.  That being said we still see large providers who have it turned on for peering/transit interfaces either out of legacy configuration or other reasons.  The vast majority do not use it for those interface roles.
>
>uRPF incurs a quite severe pps penalty on all of the NPUs i've ever tested.
>we have dabbled with it many times over the years and always eventually end up turning it off(for good this last time, probably).
>
>-b
>
>>
>>Phil
>>
>>From: NANOG <nanog-bounces+bedard.phil=gmail.com at nanog.org> on behalf
>>of Adam Thompson <athompson at merlin.mb.ca>
>>Date: Wednesday, September 29, 2021 at 1:08 PM
>>To: Amir Herzberg <amir.lists at gmail.com>, Randy Bush <randy at psg.com>
>>Cc: North American Network Operators' Group <nanog at nanog.org>
>>Subject: Re: uPRF strict more
>>We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm also​ connected to.  Customer advertised a longer-prefix to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine.  Well... yeah, that can happen (semi-legitimately) anytime you have a topological triangle in peering.
>>
>>I've concluded over the last 2 years that uRPF is only​ useful on interfaces pointing directly at non-multi-homed customers, and actively dangerous anywhere else.
>>
>>-Adam
>>
>>Adam Thompson
>>Consultant, Infrastructure Services
>>[1593169877849]
>>100 - 135 Innovation Drive
>>Winnipeg, MB, R3T 6A8
>>(204) 977-6824 or 1-800-430-6404 (MB only)
>>athompson at merlin.mb.ca<mailto:athompson at merlin.mb.ca>
>>www.merlin.mb.ca<http://www.merlin.mb.ca/>
>>________________________________
>>From: NANOG <nanog-bounces+athompson=merlin.mb.ca at nanog.org> on behalf
>>of Amir Herzberg <amir.lists at gmail.com>
>>Sent: September 28, 2021 20:06
>>To: Randy Bush <randy at psg.com>
>>Cc: North American Network Operators' Group <nanog at nanog.org>
>>Subject: Re: uPRF strict more
>>
>>Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected...
>>
>>So if anyone replies just to Randy - pls cc me too (or, Randy, if you
>>could sum up and send to list or me - thanks!)
>>
>>Amir
>>--
>>Amir Herzberg
>>
>>Comcast professor of Security Innovations, Computer Science and
>>Engineering, University of Connecticut
>>Homepage: https://sites.google.com/site/amirherzberg/home
>>`Applied Introduction to Cryptography' textbook and lectures:
>>https://sites.google.com/site/amirherzberg/applied-crypto-textbook<http
>>s://sites.google.com/site/amirherzberg/applied-crypto-textbook>
>>
>>
>>
>>
>>On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy at psg.com<mailto:randy at psg.com>> wrote:
>>do folk use uPRF strict mode?  i always worried about the multi-homed
>>customer sending packets out the other way which loop back to me;  see
>>RFC 8704 §2.2
>>
>>do vendors implement the complexity of 8704; and, if so, do operators
>>use it?
>>
>>clue bat please
>>
>>randy


More information about the NANOG mailing list