Yeah, but loose mode is inherently useless on any router carrying full tables.  (Ok, it can spot bogons, but that's a side effect and I have other ways to catch those.)
Point being that MANRS implementation in the "simple" case is (or, at least, CAN be) almost trivially easy, but in the "complex" case is quite difficult - I'm still not even sure I know how to do it 100% correctly with multi-homed downstreams clients.  "Just turn on RPF"  is starting to feel more like an article of faith rather than genuine technical guidance.  :-(
-Adam

Get Outlook for Android

From: Brian Johnson <brian.johnson@netgeek.us>
Sent: Friday, October 1, 2021 8:31:15 AM
To: Adam Thompson <athompson@merlin.mb.ca>
Cc: Amir Herzberg <amir.lists@gmail.com>; Randy Bush <randy@psg.com>; North American Network Operators' Group <nanog@nanog.org>
Subject: Re: uPRF strict more
 
For strict-mode... Completely agree.

As has been previously said, this is a tool that all players involved need to understand. This is no different than everyone correctly using BGP in their application for their outcomes.

On Sep 29, 2021, at 12:07 PM, Adam Thompson <athompson@merlin.mb.ca> wrote:

We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm also​ connected to.  Customer advertised a longer-prefix to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine.  Well... yeah, that can happen (semi-legitimately) anytime you have a topological triangle in peering.

I've concluded over the last 2 years that uRPF is only​ useful on interfaces pointing directly at non-multi-homed customers, and actively dangerous anywhere else.

-Adam

Adam Thompson
Consultant, Infrastructure Services
1593169877849
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athompson@merlin.mb.ca
www.merlin.mb.ca


From: NANOG <nanog-bounces+athompson=merlin.mb.ca@nanog.org> on behalf of Amir Herzberg <amir.lists@gmail.com>
Sent: September 28, 2021 20:06
To: Randy Bush <randy@psg.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Subject: Re: uPRF strict more
 
Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected... 

So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)

Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut
`Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook




On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy@psg.com> wrote:
do folk use uPRF strict mode?  i always worried about the multi-homed
customer sending packets out the other way which loop back to me;  see
RFC 8704 §2.2

do vendors implement the complexity of 8704; and, if so, do operators
use it?

clue bat please

randy