On 2010.06.17 17:10, William Herrin wrote:
On Thu, Jun 17, 2010 at 12:38 AM, Roy <r.engehausen@gmail.com> wrote:
On 6/16/2010 7:43 PM, Jon Lewis wrote:
With a larger network, multiple IP blocks, ***numerous multihomed customers***, some of which use IP's we've assigned them, it gets a little more complicated to do. I could reject at our border, packets sourced from our IP ranges with exceptions for any of the IP blocks we've assigned to multihomed customers.
Sounds like a good use of URPF.
Reverse path filtering + asymmetric routing = epic fail. Jon did say Multihomed customer.
What RPF can do in this case though, is pro-actively prevent possible future problems. If all IP blocks are tied down to null, and urpf is enabled in loose mode on an interface, it will catch cases where someone is sourcing traffic to you using IPs from the unassigned space that you have in your free pools. Every month or so I re-route my blackholed traffic to a sinkhole, and more often than not, I see some ingress traffic from my unassigned space. Steve