Hi Brad, I'd be interested to hear more about this pps penalty. Do we talk about 5% penalty or something closer to 50%? Let me know if you still have some numbers close to you related to PPS with uRPF loose. Thanks Jean -----Original Message----- From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org> On Behalf Of brad dreisbach Sent: September 29, 2021 2:35 PM To: Phil Bedard <bedard.phil@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: uPRF strict more On Wed, Sep 29, 2021 at 06:14:21PM +0000, Phil Bedard wrote:
Disclosure I work for Cisco and try to look after some of their peering guidelines.
Agree with Adam’s statement, use uRPF on edge DIA customers. Using it elsewhere on the network eventually is going to cause some issue and its usefulness today is almost nil. That being said we still see large providers who have it turned on for peering/transit interfaces either out of legacy configuration or other reasons. The vast majority do not use it for those interface roles.
uRPF incurs a quite severe pps penalty on all of the NPUs i've ever tested. we have dabbled with it many times over the years and always eventually end up turning it off(for good this last time, probably). -b
Phil
From: NANOG <nanog-bounces+bedard.phil=gmail.com@nanog.org> on behalf of Adam Thompson <athompson@merlin.mb.ca> Date: Wednesday, September 29, 2021 at 1:08 PM To: Amir Herzberg <amir.lists@gmail.com>, Randy Bush <randy@psg.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: uPRF strict more We just ran into a typical case where uRPF caused a partial outage for one of my customers: the customer is multi-homed, with another provider that I'm also connected to. Customer advertised a longer-prefix to the other guy, so I started sending traffic destined for Customer to the Other Provider... who then promptly dropped it because they had uRPF enabled on the peering link, and they were seeing random source IPs that weren't mine. Well... yeah, that can happen (semi-legitimately) anytime you have a topological triangle in peering.
I've concluded over the last 2 years that uRPF is only useful on interfaces pointing directly at non-multi-homed customers, and actively dangerous anywhere else.
-Adam
Adam Thompson Consultant, Infrastructure Services [1593169877849] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson@merlin.mb.ca<mailto:athompson@merlin.mb.ca> www.merlin.mb.ca<http://www.merlin.mb.ca/> ________________________________ From: NANOG <nanog-bounces+athompson=merlin.mb.ca@nanog.org> on behalf of Amir Herzberg <amir.lists@gmail.com> Sent: September 28, 2021 20:06 To: Randy Bush <randy@psg.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: uPRF strict more
Randy, great question. I'm teaching that it's very rarely, if ever, used (due to high potential for benign loss); it's always great to be either confirmed or corrected...
So if anyone replies just to Randy - pls cc me too (or, Randy, if you could sum up and send to list or me - thanks!)
Amir -- Amir Herzberg
Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook<http s://sites.google.com/site/amirherzberg/applied-crypto-textbook>
On Tue, Sep 28, 2021 at 8:50 PM Randy Bush <randy@psg.com<mailto:randy@psg.com>> wrote: do folk use uPRF strict mode? i always worried about the multi-homed customer sending packets out the other way which loop back to me; see RFC 8704 §2.2
do vendors implement the complexity of 8704; and, if so, do operators use it?
clue bat please
randy