[External] Re: uPRF strict more

• Previous message (by thread): [External] Re: uPRF strict more
• Next message (by thread): [External] Re: uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In Ciscoland, you do have to explicitly state that the default route is
eligible for URPF verification, otherwise you'll get unexpected traffic
drops.

ip verify unicast source reachable-via any allow-default


And yes, it's main purpose is for implementing source-based
remotely-triggered blackhole (SRTBH).

On Thu, Sep 30, 2021 at 10:58 AM Hunter Fuller via NANOG <nanog at nanog.org>
wrote:

> On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark at tinka.africa> wrote:
> > If you don't plan to run a full BGP table on a device, don't enable
> uRPF, even loose-mode.
>
> At least in Ciscoland, loose URPF checks will pass if you have a
> default route. So I do not think it could result in inadvertent
> blackholing of traffic.
>
> What it does allow is for *deliberate* blackholing for traffic; if you
> null-route a prefix, you now block incoming traffic from that subnet
> as well. This can be useful and it is how we are using URPF.
>
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH M-1A
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210930/effac21d/attachment.html>

• Previous message (by thread): [External] Re: uPRF strict more
• Next message (by thread): [External] Re: uPRF strict more
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]