Matt Harris
|
Infrastructure Lead Engineer
816‑256‑5446
|
Direct
Looking for something?
Helpdesk Portal
|
Email Support
|
Billing Portal
We build and deliver end‑to‑end IT solutions.
On Tue, Oct 13, 2020 at 5:22 PM Mel Beckman <mel@beckman.org> wrote:
You can also use Unicast Reverse Path Forwarding. RPF is more efficient than ACLs, and has the added advantage of not requiring maintenance. In a nutshell, if your router has a route to a prefix in its local RIB, then incoming packets from a border interface having a matching source IP will be dropped.

RPF has knobs and dials to make it work for various ISP environments. Implement it carefully (as is be standing next to the router involved :

I received one of the aforementioned messages as well, and my response was that perhaps the best overall step towards protection at scale from the issue they raise would be for SPs to implement URPF facing stubby, single-homed networks. This is effectively the low-hanging fruit and doesn't require too much additional labor in terms of maintaining additional ACLs or prefix lists. In the case of multi-homed networks, things are less straight forward, but multi-homed networks make up a minority even if we exclude consumer internet connections. 

Take care,
Matt