On Tue, Aug 29, 2017 at 08:41:12AM -0400, Robert Blayzor wrote:
On 29 August 2017 at 03:38, Robert Blayzor <rblayzor.bulk@inoc.net> wrote:
Well not completely useless. BCP will still drop BOGONs at the edge before they leak into your network.
Assuming you don't use them in your own infra. And cost of RPF is lot higher than cost of ACL. Them being entirely static entities they should be in your edgeACL. The only real justification for loose RPF is source based blackholing.
Well, if you are using public IP addresses for infra you are violating your RIR’s policy more than likely.
There may be some miscommunication here or confusion on terminology used. But for instance using public, globally unique addresses for your router's loopback addresses, or router-to-router linknets is fine and not a violation.
And if you’re using RFC1918 space in your global routing table, then thats another fiasco you’ll have to deal with.
Then don't do that! :)
Managing ACL’s for customer routes has far more overhead (and cost, ie: time, human error, etc) than to just use RPF on an edge port. I believe the OP was talking about multi-homed, in that case if run a tight ship in your network RPF loose is probably a good choice. It at least gives you an easy way to not accept total trash at the edge.
I am not sure what "RPF loose" offers that can't be done with a static general purpose edge ACL can't offer to protect your infrastructure and deny obvious bogons. Kind regards, Job