[External] Re: uPRF strict more

• Previous message (by thread): [External] Re: uPRF strict more
• Next message (by thread): [External] Re: uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/30/21 17:56, Hunter Fuller wrote:
> On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark at tinka.africa> wrote:
>> If you don't plan to run a full BGP table on a device, don't enable uRPF, even loose-mode.
> At least in Ciscoland, loose URPF checks will pass if you have a
> default route. So I do not think it could result in inadvertent
> blackholing of traffic.
>
> What it does allow is for *deliberate* blackholing for traffic; if you
> null-route a prefix, you now block incoming traffic from that subnet
> as well. This can be useful and it is how we are using URPF.

Agreed.

I should have said "If you don't plan to run a full BGP table on a 
device without a default a route as well, don't enable uRPF, even 
loose-mode".

Principally, we don't run default on any of our service routers. 
Technically, we point default to the bin on all our service routers, as 
that's the fastest way for the router to handle illegal traffic it 
"could" receive.

Mark.

• Previous message (by thread): [External] Re: uPRF strict more
• Next message (by thread): [External] Re: uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]