We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm also connected to. Customer advertised a longer-prefix
to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine. Well... yeah, that can
happen (semi-legitimately) anytime you have a topological triangle in peering.
I've concluded over the last 2 years that uRPF is only useful on interfaces pointing directly at non-multi-homed customers, and actively dangerous anywhere
else.
-Adam
Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected...
So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)
Amir
--
Amir Herzberg
Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut
On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <
randy@psg.com> wrote:
do folk use uPRF strict mode? i always worried about the multi-homed
customer sending packets out the other way which loop back to me; see
RFC 8704 §2.2
do vendors implement the complexity of 8704; and, if so, do operators
use it?
clue bat please
randy