BCP38 For BGP Customers

• Previous message (by thread): BCP38 For BGP Customers
• Next message (by thread): BCP38 For BGP Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/8/22 1:01 PM, William Herrin wrote:
> Hi Grant,

Hi Bill,

> Two words: asymmetric routing.

ACK

> Useful automated reverse path filtering can ONLY be used when there 
> is exactly ONE valid path to which and from which packets can be 
> received. This is where strict mode uRPF actually works.

This seems to be predicated on /strict/ uRPF enforcement.

> As for loose mode, it's basically useless in a BCP38 discussion. Loose 
> mode only filters bogons. It doesn't prevent impersonation of any 
> IP address currently routed in the system and doesn't do anything at 
> all on a router with a default route.

Okay.  I didn't see how /loose/ uRPF could do any good save for the DFZ 
or other situation where there isn't a default route.

This thread has made me wonder if there isn't a need for a 3rd type of 
uRPF or comparable filtering wherein the incoming interface is a viable 
route in the RIB even if it's not the best route in the FIB.

Thank you for the explanation Bill.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20221108/54b6abdb/attachment.bin>

• Previous message (by thread): BCP38 For BGP Customers
• Next message (by thread): BCP38 For BGP Customers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]