On 17 August 2017 at 16:11, William Herrin <bill@herrin.us> wrote:
Doesn't loose mode URPF allow packets from anything that exists in the routing table regardless of source? Seems just about worthless. You're allowing the site to spoof anything in the routing table which is NOT BCP38.
Correct. uRPF/loose is pretty undesirable, what you get for the premium you pay, it's rarely justifiable.
Strict mode URPF down paths guaranteed to be single-homed. Manually configure allowed sources and announcements for BGP-talking customers.
JunOS offers 'strict feasible', which would allow packet if there is some route pointing to that interface, not necessarily best. But even that would not be well received by customers, some do TE by omitting advertising prefix out, yet send traffic out without any specific policy, so you may receive traffic from prefix they are allowed to advertise but they do not. I've previously used in JunOS same prefix-list for BGP and firewall filter with good success, but unfortunately sometimes even telling what prefixes might be behind specific BGP session/interface is not trivial. -- ++ytti