<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hi Mel,</p>
<p>My understanding of uRPF is:</p>
<p>* Strict mode will permit a packet only if there is a route for the source IP in the RIB, and that route points to the interface where the packet was received</p>
<p>* Loose mode will permit a packet if there is a route for the source IP in the RIB. It does not matter where the route is pointed.</p>
<p>Strict mode won't work for us, because with our multi-homed transits and IX peers, we will almost certainly drop a legitimate packet because the best route is through another transit.</p>
<p>Loose mode won't work for us, because all of our own prefixes are in our RIB, and thus the uRPF check on a transit would never block anything.</p>
<p>Or am I missing something?</p>
<p>Thanks,</p>
<p>-Brian</p>
<p>On 2020-10-13 17:22, Mel Beckman wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --> <!-- head ignored --><!-- meta ignored -->
<div dir="ltr"><span>You can also use Unicast Reverse Path Forwarding. RPF is more efficient than ACLs, and has the added advantage of not requiring maintenance. In a nutshell, if your router has a route to a prefix in its local RIB, then incoming packets from a border interface having a matching source IP will be dropped.</span></div>
<div dir="ltr"><span><br /> </span></div>
<div dir="ltr">RPF has knobs and dials to make it work for various ISP environments. Implement it carefully (as is be standing next to the router involved :)</div>
<div dir="ltr"><span><br /> </span></div>
<div dir="ltr"><span>Here's a Cisco brief on the topic:</span></div>
<div dir="ltr"> </div>
<div dir="ltr">
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"><a href="https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding">https://tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding</a></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"> </p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;"> </p>
<span></span>I think all router vendors support this feature. Here's a similar article by Juniper:</div>
<div dir="ltr"> </div>
<div dir="ltr"><a href="https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-unicast-rpf.html">https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-unicast-rpf.html</a></div>
<div dir="ltr"> </div>
<div dir="ltr"><br /> <span>-mel beckman</span><br /> <span></span><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>On Oct 13, 2020, at 3:15 PM, Brian Knight via NANOG <nanog@nanog.org> wrote:</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>We recently received an email notice from a group of security researchers who are looking at the feasibility of attacks using spoofed traffic. Their methodology, in broad strokes, was to send traffic to our DNS servers with a source IP that looked like it came from our network. Their attacks were successful, and they included a summary of what they found. So this message has started an internal conversation on what traffic we should be filtering and how.</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>This security test was not about BCP 38 for ingress traffic from our customers, nor was it about BGP ingress filtering. This tested our ingress filtering from the rest of the Internet.</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>It seems to me like we should be filtering traffic with spoofed IPs on our transit, IX, and peering links. I have done this filtering in the enterprise world extensively, and it's very helpful to keep out bad traffic. BCP 84 also discusses ingress filtering for SP's briefly and seems to advocate for it.</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>We have about 15 IP blocks allocated to us. With a network as small as ours, I chose to go with a static ACL approach to start the conversation. I crafted a static ACL, blocking all ingress traffic sourced from any of our assigned IP ranges. I made sure to include:</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* Permit entries for P-t-P WAN subnets on peering links</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* Permit entries for IP assignments to customers running multi-homed BGP</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* The "permit ipv4 any any" at the end :)</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>The questions I wanted to ask the SP community are:</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* What traffic filtering do you do on your transits, on IX ports, and your direct peering links?</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* How is it accomplished? Through static ACL or some flavor of uRPF?</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* If you use static ACLs, what is the administrative overhead like? What makes it easy or difficult to update?</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>* How did you test your filters when they were implemented?</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>Thanks a lot,</span></blockquote>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><span>-Brian</span></blockquote>
</div>
</blockquote>
<p><br /></p>
</body></html>