As an eyeball network operator (Cable, DSL, Fiber) we use uRPF strict mode on customer facing ports on the BRAS gear. Our access gear also tends to include source address verification via DHCP snooping (as well as limits on the number of DHCP leases and/or MAC addresses each customer is allowed) so there are a couple layers of protection. I do not use uRPF on upstream/transit/IX links or with multi-homed customers - or anywhere else where traffic could be asymmetrical; I prefer to use stateless ACLs at these locations. On 9/28/2021 8:06 PM, Amir Herzberg wrote:
Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected...
So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)
Amir -- Amir Herzberg
Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home <https://sites.google.com/site/amirherzberg/home> `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook <https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy@psg.com <mailto:randy@psg.com>> wrote:
do folk use uPRF strict mode? i always worried about the multi-homed customer sending packets out the other way which loop back to me; see RFC 8704 §2.2
do vendors implement the complexity of 8704; and, if so, do operators use it?
clue bat please
randy