BCP38 For BGP Customers

• Previous message (by thread): BCP38 For BGP Customers
• Next message (by thread): BCP38 For BGP Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

" Reverse path filtering literally says don't accept a packet from 
somewhere that isn't currently the next hop for that packet's source 
address." 

FIB or RIB? 


I knew of uRPF as available over an interface, per the routing table, not best path available. Or is that implementation dependent? 



----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "William Herrin" <bill at herrin.us> 
To: "Grant Taylor" <gtaylor at tnetconsulting.net> 
Cc: nanog at nanog.org 
Sent: Tuesday, November 8, 2022 2:01:49 PM 
Subject: Re: BCP38 For BGP Customers 

On Tue, Nov 8, 2022 at 8:40 AM Grant Taylor via NANOG <nanog at nanog.org> wrote: 
> Maybe it's the lack of caffeine, but would someone please remind / 
> enlighten me as to why uRPF is a bad idea on downstream interfaces? 

Hi Grant, 

Two words: asymmetric routing. 

If the downstream network is architected in such a way that there's 
more than one path in and out of their network then there's no way to 
guarantee that any particular router believes the forward path to that 
network goes to a particular next hop. It can currently map to any 
next hop that goes in the direction of one of the valid paths. That 
routing is completely independent of how next hops are selected in the 
other direction. Packets can travel in one path and out another. 

Reverse path filtering literally says don't accept a packet from 
somewhere that isn't currently the next hop for that packet's source 
address. When it's possible for the forward route to point a different 
direction than the one from which valid packets are received, that is 
the wrong thing to do. In fact, it breaks the network. 

Useful automated reverse path filtering can ONLY be used when there is 
exactly ONE valid path to which and from which packets can be 
received. This is where strict mode uRPF actually works. 


> N.B. Maybe I'm thinking more a varient of uRPF wherein if I have a route 
> to the source from the interface in question. Thus not uRPF-strict 
> (active route) nor uRPF-loose (route on any interface). 

Even if a particular router happens to have RIB entries for all the 
valid paths to a host (a sketchy proposition at best), only one such 
entry will be stored in the FIB where uRPF looks to make its filtering 
decision. 

As for loose mode, it's basically useless in a BCP38 discussion. Loose 
mode only filters bogons. It doesn't prevent impersonation of any IP 
address currently routed in the system and doesn't do anything at all 
on a router with a default route. 

Regards, 
Bill Herrin 




-- 
For hire. https://bill.herrin.us/resume/ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20221108/e22b0b38/attachment.html>

• Previous message (by thread): BCP38 For BGP Customers
• Next message (by thread): BCP38 For BGP Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]