[External] Re: uPRF strict more
Mark Tinka
mark at tinka.africa
Thu Sep 30 16:12:51 UTC 2021
On 9/30/21 17:56, Hunter Fuller wrote:
> On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark at tinka.africa> wrote:
>> If you don't plan to run a full BGP table on a device, don't enable uRPF, even loose-mode.
> At least in Ciscoland, loose URPF checks will pass if you have a
> default route. So I do not think it could result in inadvertent
> blackholing of traffic.
>
> What it does allow is for *deliberate* blackholing for traffic; if you
> null-route a prefix, you now block incoming traffic from that subnet
> as well. This can be useful and it is how we are using URPF.
Agreed.
I should have said "If you don't plan to run a full BGP table on a
device without a default a route as well, don't enable uRPF, even
loose-mode".
Principally, we don't run default on any of our service routers.
Technically, we point default to the bin on all our service routers, as
that's the fastest way for the router to handle illegal traffic it
"could" receive.
Mark.
More information about the NANOG
mailing list