<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body>

<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">

Yeah, but loose mode is inherently useless on any router carrying full tables.  (Ok, it can spot bogons, but that's a side effect and I have other ways to catch those.)<br>

</div>

<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">

Point being that MANRS implementation in the "simple" case is (or, at least, CAN be) almost trivially easy, but in the "complex" case is quite difficult - I'm still not even sure I know how to do it 100%<span id="ms-outlook-android-cursor"></span> correctly

 with multi-homed downstreams clients.  "Just turn on RPF"  is starting to feel more like an article of faith rather than genuine technical guidance.  :-(<br>

</div>

<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">

-Adam</div>

<div><br>

</div>

<div id="ms-outlook-mobile-signature">Get <a href="https://aka.ms/AAb9ysg">Outlook for Android</a></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Brian Johnson <brian.johnson@netgeek.us><br>

<b>Sent:</b> Friday, October 1, 2021 8:31:15 AM<br>

<b>To:</b> Adam Thompson <athompson@merlin.mb.ca><br>

<b>Cc:</b> Amir Herzberg <amir.lists@gmail.com>; Randy Bush <randy@psg.com>; North American Network Operators' Group <nanog@nanog.org><br>

<b>Subject:</b> Re: uPRF strict more</font>

<div> </div>

</div>

<div class="" style="word-wrap:break-word; line-break:after-white-space">For strict-mode... Completely agree.

<div class=""><br class="">

</div>

<div class="">As has been previously said, this is a tool that all players involved need to understand. This is no different than everyone correctly using BGP in their application for their outcomes.<br class="">

<div><br class="">

<blockquote type="cite" class="">

<div class="">On Sep 29, 2021, at 12:07 PM, Adam Thompson <<a href="mailto:athompson@merlin.mb.ca" class="">athompson@merlin.mb.ca</a>> wrote:</div>

<br class="x_Apple-interchange-newline">

<div class="">

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm<span class="x_Apple-converted-space"> </span><b class="">also</b> connected to.  Customer advertised a longer-prefix

 to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine.  Well... yeah, that can

 happen (semi-legitimately) anytime you have a topological triangle in peering.</div>

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

<br class="">

</div>

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

I've concluded over the last 2 years that uRPF is<span class="x_Apple-converted-space"> </span><b class="">only</b> useful on interfaces pointing directly at non-multi-homed customers, and<span class="x_Apple-converted-space"> </span><b class="">actively dangerous<span class="x_Apple-converted-space"> </span></b>anywhere

 else.</div>

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

<br class="">

</div>

<div class="" style="font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">

-Adam<br class="">

</div>

<div class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><br class="">

</div>

<div id="x_Signature" class="">

<div class="">

<div class="" style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><b class="" style="text-align:start; background-color:rgb(255,255,255)"><span class="" style="margin:0px; font-size:10pt; color:rgb(68,84,106)">Adam Thompson</span></b><span class="" style="margin:0px; font-size:9pt; color:rgb(68,84,106); text-align:start; background-color:rgb(255,255,255)"><br class="">

Consultant, Infrastructure Services<br class="">

<img class="x_EmojiInsert" alt="1593169877849" data-outlook-trace="F:2|T:2" src="cid:bbb702c0-5f25-4b78-8e3c-77d76b316dc7" style="margin:0px; max-width:100%; height:auto"><br class="">

100 - 135 Innovation Drive<br class="">

Winnipeg, MB, R3T 6A8<br class="">

(204) 977-6824 or 1-800-430-6404 (MB only)<br class="">

<a href="mailto:athompson@merlin.mb.ca" target="_blank" rel="noopener noreferrer" class="" style="margin:0px"><span class="" style="margin:0px">athompson@merlin.mb.ca</span></a><br class="">

<a href="http://www.merlin.mb.ca/" target="_blank" rel="noopener noreferrer" class="" style="margin:0px"><span class="" style="margin:0px">www.merlin.mb.ca</span></a></span><br class="">

</div>

</div>

</div>

</div>

<div id="x_appendonsend" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">

</div>

<hr tabindex="-1" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; display:inline-block; width:632.09375px">

<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important"></span>

<div id="x_divRplyFwdMsg" dir="ltr" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">

<font face="Calibri, sans-serif" class="" style="font-size:11pt"><b class="">From:</b><span class="x_Apple-converted-space"> </span>NANOG <<a href="mailto:nanog-bounces+athompson=merlin.mb.ca@nanog.org" class="">nanog-bounces+athompson=merlin.mb.ca@nanog.org</a>>

 on behalf of Amir Herzberg <<a href="mailto:amir.lists@gmail.com" class="">amir.lists@gmail.com</a>><br class="">

<b class="">Sent:</b><span class="x_Apple-converted-space"> </span>September 28, 2021 20:06<br class="">

<b class="">To:</b><span class="x_Apple-converted-space"> </span>Randy Bush <<a href="mailto:randy@psg.com" class="">randy@psg.com</a>><br class="">

<b class="">Cc:</b><span class="x_Apple-converted-space"> </span>North American Network Operators' Group <<a href="mailto:nanog@nanog.org" class="">nanog@nanog.org</a>><br class="">

<b class="">Subject:</b><span class="x_Apple-converted-space"> </span>Re: uPRF strict more</font>

<div class=""> </div>

</div>

<div class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant-caps:normal; font-weight:normal; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none">

<div dir="ltr" class="">Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected... 

<div class=""><br class="">

</div>

<div class="">So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)</div>

<div class=""><br class="">

</div>

<div class="">Amir<br clear="all" class="">

<div class="">

<div dir="ltr" class="x_x_gmail_signature">

<div dir="ltr" class="">

<div dir="ltr" class="">--<span class="x_Apple-converted-space"> </span><br class="">

<div class="">Amir Herzberg<br class="">

</div>

<div class=""><br class="">

</div>

<div class="">Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut</div>

<div class="">Homepage: <a href="https://sites.google.com/site/amirherzberg/home" target="_blank" class="">https://sites.google.com/site/amirherzberg/home</a></div>

<div class="">`Applied Introduction to Cryptography' textbook and lectures:<a href="https://sites.google.com/site/amirherzberg/applied-crypto-textbook" target="_blank" class=""> https://sites.google.com/site/amirherzberg/applied-crypto-textbook</a></div>

<div class=""><br class="">

</div>

<br class="">

</div>

</div>

</div>

</div>

<br class="">

</div>

</div>

<br class="">

<div class="x_x_gmail_quote">

<div dir="ltr" class="x_x_gmail_attr">On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <<a href="mailto:randy@psg.com" class="">randy@psg.com</a>> wrote:<br class="">

</div>

<blockquote class="x_x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left-width:1px; border-left-style:solid; border-left-color:rgb(204,204,204); padding-left:1ex">

do folk use uPRF strict mode?  i always worried about the multi-homed<br class="">

customer sending packets out the other way which loop back to me;  see<br class="">

RFC 8704 §2.2<br class="">

<br class="">

do vendors implement the complexity of 8704; and, if so, do operators<br class="">

use it?<br class="">

<br class="">

clue bat please<br class="">

<br class="">

randy</blockquote>

</div>

</div>

</div>

</blockquote>

</div>

<br class="">

</div>

</div>

</body>

</html>