<div dir="ltr">We deploy urpf strict on all customer end-host and broadband circuits. In this scenario urpf = ingress acl I don't have to think about.<div><br></div><div>We deploy urpf loose on all customer multihomed DIA circuits. I dont this makes sense - ingress packet acl would be more sane.</div><div><br></div><div>Any flavour of urpf on upstream transit or peering would be challenging. Ingress packet acl dropping source = own+customer prefix might make sense depending on your AS topology.</div><div><br></div><div>You might argue that ingress packet acl would be operationally simpler on customer and upstream, as you could cover all scenarios.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 15, 2020 at 10:05 AM Saku Ytti <<a href="mailto:saku@ytti.fi">saku@ytti.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, 15 Oct 2020 at 15:14, <<a href="mailto:adamv0025@netconsultings.com" target="_blank">adamv0025@netconsultings.com</a>> wrote:<br>
<br>
<br>
> Yes one should absolutely do that, but...<br>
> But considering to become a good netizen what is more work?<br>
> a) Testing and the enabling uRPF on every customer facing box or setting up precise ACLs on every customer facing port, and then maintaining all that?<br>
> b) Gathering all your PAs (potentially PIs) (hint: show bgp nei x.x.x.x advertised routes) crafting an ACL and apply it on several peering/transit links?<br>
> One of them is couple of weeks work and one is an afternoon job.<br>
<br>
I am not fan of uRPF, expensive for what it does. But I don't view it<br>
as an alternative here, I view it as either adding an ACE on all<br>
egresses on egress direction or adding ACE on the ingress where<br>
customer is on ingress direction.<br>
<br>
To me these options seem equally complex but the latter one seems superior.<br>
<br>
-- <br>
++ytti<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Tim:></div>