I've been reading up about uRPF on Cisco's website, at:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html
I've heard many people suggest that having uRPF filtering on in an ISP
environment is a good idea (and best practice).
However I'm grappling with the idea in terms of how effective it might
be, and if it will solve a specific problem that I have observed recently.
We are a multihomed ISP, and have uplinks to two separate carriers
taking full BGP feeds as well as multiple peering sessions from other
parties. This means that there is some asymmetric routing present - a
situation which is pretty much unavoidable in this situation.
Now going by the document above, deploying loose mode uRPF on our
edge/outside interfaces would mean that our border router would be able
to drop traffic from non routable sources from coming into our network.
Two questions:
1. Given the global routing table is increasing and there is not all
that much unallocated/non-routed IP networks left (and thus fewer
invalid source addresses to draw from), is uRPF much of an advantage in
todays ISP/IPv4 networks?
2. We are also seeing some traffic sourced from IPs within a specific
/24 subnet inside our AS, entering from outside of our AS. It is being
sourced from somewhere on the Internet by some host(s) which are sending
the traffic out with our source address but are not actually originating
the traffic from within our AS (which I guess is along the lines of a
DoS but the traffic volumes are relatively low). I am dropping this on
our 7200 via ACLs deployed on the outside edges/interfaces of our
network. Could loose mode uRPF help solve this problem?
Thanks,
Reuben
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
