uPRF strict more

brad dreisbach bradd at us.ntt.net
Wed Sep 29 21:59:03 UTC 2021


On Wed, Sep 29, 2021 at 11:38:19PM +0200, Baldur Norddahl wrote:
>On Wed, 29 Sept 2021 at 22:07, Jean St-Laurent via NANOG <nanog at nanog.org>
>wrote:
>
>> Thanks a lot for sharing.
>>
>> So 100 Gbps at line rate with 80B frames is about ~150 Mpps.
>>
>> 100 Gbps at line rate with 208B frames is about ~60 Mpps.
>>
>> It's a significant penalty.
>>
>
>Full rate small packets would be an attack of some kind and could only
>realistically arrive at your transit and peering ports. The customers
>usually have slower (relatively) ports and a single customer could not
>produce a rate of small packets that would be a concern. Therefore uRPF at
>customer ports should not be a problem in this regard.

every network is different of course, and admittedly i am a couple generations
of hw from having tested this. the problem was indeed exacerbated by also 
having a ddos scrubbing service, but i still encourage my competitors to run
urpf.

-b

>
>Regards,
>
>Baldur


More information about the NANOG mailing list