On 9/29/21 19:07, Adam Thompson wrote:
We just ran into a typical case where uRPF caused a partial outage for
one of my customers: the customer is multi-homed, with another
provider that I'm *also* connected to. Customer advertised a
longer-prefix to the other guy, so I started sending traffic destined
for Customer to the Other Provider... who then promptly dropped it
because they had uRPF enabled on the peering link, and they were
seeing random source IPs that weren't mine. Well... yeah, that can
happen (semi-legitimately) anytime you have a topological triangle in
peering.
I've concluded over the last 2 years that uRPF is *only* useful on
interfaces pointing directly at non-multi-homed customers, and
*actively dangerous *anywhere else.
That's not exactly true, unless that other provider is not carrying a
full table on the device your traffic toward your customer was transiting.
Generally, we only run uRPF on boxes that carry a fully BGP table. The
lack of a full table, even with loose-mode uRPF, will lead to blackholing.
Mark.
