On 10/Jun/20 19:31, William Herrin wrote:
Sorry, it'd be pre-coffee if I drank coffee and I was overly harsh here. Let me back up:
The most basic spoofing protection is: don't accept remote packets pretending to be from my IP address.
Strict mode URPF extends this to networks: don't accept packets on interfaces where I know for sure the source host isn't in that direction. It works fine in network segments whose structure requires routes to be perfectly symmetrical: on every interface, the packet for every source can only have been from one particular next hop, the same one that advertises acceptance of packets with that destination. The use of BGP breaks the symmetry requirement so close to always that you may as well think of it as always. Even with a single transit or a partial table. Don't use strict mode URPF on BGP speakers.
Loose mode URPF is... broken. It was a valiant attempt to extend reverse path filtering into networks with asymmetry but I've yet to discover a use where there wasn't some faulty corner case. If you think you want to use loose mode RPF, trust me: you've already passed the point where any RPF was going to be helpful to you. Time to set it aside and solve the problem a different way.
We don't run Loose Mode on peering routers because they don't carry a full table. If anyone sent the wrong packets that way, they wouldn't be able to leave the box anyway. We do run Loose Mode on transit routers, no issues thus far. We do run Strict Mode on customer-facing links that are stub-homed to us (DIA). We also run Loose Mode on customer-facing links that buy transit (BGP). But mostly, BCP-38 deployed at the edge (peering, transit and customer routers) also goes a long way in protecting the network. Mark.