<html><head></head><body><div dir="ltr">Hey Charles,<div>My recommendation would not be to run uRPF facing a BGP customer. </div><div><br></div><div>That said, you have two issues to address here: one is the acceptance of prefix advertisements, and the other is the acceptance of traffic. </div><div><br></div><div>uRPF does nothing to help with the former, and the gold standard there is generally considered to be RPKI. IRR based filtering is another reasonable way to filter prefix advertisements you receive, and several well-known IX's and transit providers for example do just this. </div><div><br></div><div>The latter, acceptance of traffic, is a broader challenge. In essence, you don't really have a good way to know what traffic is legitimate and what isn't. My advice would be simply to watch for things you don't expect, log them when they occur in significant quantity, and manually review incidents that are unexpected to understand why. If you cannot understand why, then you can work with the client sending the traffic to try to understand it, or block that specific traffic from that specific client. uRPF on a client circuit raises exactly the issues you've already raised. Many clients, even smaller ones, who choose to run BGP sessions with transit providers will wish to be able to employ common TE practices, and by deploying uRPF, you may very well be creating a nasty situation for them which potentially is also difficult for smaller shops without high end tooling in place to diagnose easily. </div><div><br></div><div>- mdh</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><div dir="ltr" style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;font-size:1px;direction:ltr;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;font-size:1px;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:25px 0 4px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="width:610px;font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0 0 15px;vertical-align:top;"><img src="cid:image290298.png@4C8085C1.15FF73AA" border="0" alt="" style="font-size:0;" /></td></tr></table></td></tr><tr style="font-size:0;"><td align="center" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="center" style="padding:0 0 15px;border-top:none;border-right:none;border-bottom:solid 1px #DADADC;border-left:none;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="width:575px;font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:5px 15px 5px 0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="width:135px;font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 4px 3px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:#2B2B2B;font-size:12px;font-family:Arial;font-weight:700;font-style:normal;text-align:left;width:150px;"><tr style="font-size:20px;"><td style="font-family:Arial;">Matt Harris<span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;">​</span></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:bottom;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:5px 0 0 3px;vertical-align:bottom;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:#6B6C78;font-size:12px;font-family:Arial;font-weight:700;font-style:normal;text-align:left;width:0;"><tr style="font-size:12px;"><td style="font-family:Arial;">VP OF INFRASTRUCTURE</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:14px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0 0 0 3px;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:#576576;font-size:12px;font-family:Arial;font-weight:400;font-style:normal;text-align:center;"><tr style="font-size:12px;"><td style="font-family:Arial;"><a href="https://www.linkedin.com/company/netfirecloud/" target="_blank" id="LPlnk689713" title="Our LinkedIn Profile" style="text-decoration:none;color:#1D1E2F;"><strong style="font-weight:700;">Follow us on LinkedIn!<br /></strong></a></td></tr></table></td><td align="left" style="padding:0 0 0 10px;vertical-align:top;"><a href="https://www.linkedin.com/company/netfirecloud/" target="_blank" id="LPlnk689713" style="text-decoration:none;"><img src="https://i.imgur.com/KhTz3zg.png" width="26" border="0" alt="" style="width:26px;min-width:26px;max-width:26px;font-size:0;" /></a></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td><td align="right" style="padding:0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><img src="cid:image839527.png@6CE1F9A2.734E1B3B" height="50" border="0" alt="" style="height:50px;min-height:50px;max-height:50px;font-size:0;" /></td></tr></table></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="center" style="padding:0 0 15px;border-top:none;border-right:none;border-bottom:solid 1px #DADADC;border-left:none;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="center" style="padding:15px 0 0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="width:575px;font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 20px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#2B2B2B;font-style:normal;font-weight:400;line-height:normal;white-space:nowrap;"><tr style="font-size:13px;"><td align="left" style="padding:0;vertical-align:top;font-size:0;"><img src="cid:image755515.png@03704AD8.AAAAE656" height="28" border="0" alt="" style="height:28px;min-height:28px;max-height:28px;font-size:0;" /></td><td align="left" style="padding:0 0 0 7px;vertical-align:middle;font-family:Arial;"><a href="mailto:matt.harris@netfire.net" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#2B2B2B;"><strong style="font-weight:400;">matt.harris@netfire.net</strong></a></td></tr></table></td></tr></table></td><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 20px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><img src="cid:image364365.png@F7C07E24.8EA8CA43" height="28" border="0" alt="" style="height:28px;min-height:28px;max-height:28px;font-size:0;" /></td><td align="left" style="padding:0 0 0 7px;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#2B2B2B;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:13px;"><td align="left" style="padding:3px 0;vertical-align:middle;font-family:Arial;"><span dir="ltr" style="direction:ltr;"><a href="tel:816-256-5446" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#2B2B2B;"><strong style="font-weight:400;">816-256-5446</strong></a></span></td></tr></table></td></tr></table></td></tr></table></td><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#576576;font-style:normal;font-weight:400;line-height:normal;white-space:nowrap;"><tr style="font-size:13px;"><td align="left" style="padding:0;vertical-align:top;font-size:0;"><img src="cid:image440294.png@5C1988F9.70608290" height="28" border="0" alt="" style="height:28px;min-height:28px;max-height:28px;font-size:0;" /></td><td align="left" style="padding:0 0 0 7px;vertical-align:middle;font-family:Arial;"><a href="https://www.netfire.com/" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#2B2B2B;"><strong style="font-weight:400;">www.netfire.com</strong></a></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></div>On Mon, Nov 7, 2022 at 1:22 PM Charles Rumford via NANOG <<a href="mailto:nanog@nanog.org">nanog@nanog.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello -<br>
<br>
I'm are currently working on getting BCP38 filtering in place for our BGP <br>
customers. My current plan is to use the Juniper uRPF feature to filter out <br>
spoofed traffic based on the routing table. The mentality would be: "If you <br>
don't send us the prefix, then we don't accept the traffic". This has raised <br>
some issues amongst our network engineers regarding multi-homed customers.<br>
<br>
One of the issues raised was if a multi-homed BGP customer revoked a prefix from <br>
one of their peerings, but continued sending us traffic on the link then we <br>
would drop the traffic.<br>
<br>
I would like to hear what others are doing for BCP38 deployments for BGP <br>
customers. Are you taking the stance of "if you don't send us the prefix, then <br>
we don't accept the traffic"? Are you putting in some kind of fall back filter <br>
in based on something like IRR data?<br>
<br>
Thanks!<br>
<br>
-- <br>
Charles Rumford (he/his/him)<br>
Network Engineer | Deft<br>
1-312-268-9342 | <a href="mailto:charlesr@deft.com" target="_blank">charlesr@deft.com</a><br>
<a href="http://deft.com" rel="noreferrer" target="_blank">deft.com</a><br>
</blockquote></div>
</body></html>