Hi, On Fri, Mar 28, 2014 at 10:22:45AM -0400, Lee wrote: > > Actually, enabling uRPF on core-to-core interfaces is considered a > > significantly stupid idea. You enable uRPF towards your customers, > > and loose(!) uRPF towards peers/upstreams for BGP-RTBH. > > Is there an RFC that spells it out that clearly?
Well, I never searched. I find that so blindingly obvious that I never
assumed someone would want to do that, and not understand why it hurts.
> I couldn't find
> anything about 3 years ago when an auditor from our security office,
> using the CIS Secure IOS benchmark, decided that every router
> interface needed uRPF enabled. You want fun, try explaining
> asymmetrical routing to an auditor.
Yeah, I can feel your pain. OTOH in certain situations there's not
much you can do except "call his supervisor, declare the auditor to
be defective, RMA".
> > None of these will impair traceroute or NMS/discovery.
>
> If you only do uRPF at the edge - right, it doesn't impair traceroute
> but it did give us grief with NMS/discovery:
>
> NMS 10.10.10.10
> |
> core
> / \
> / \
> distA distB
> |10.1.1.3 | 10.1.1.4
> | |
> --- access ---
>
> When the access layer switch says it's neighbors are 10.1.1.3 and
> 10.1.1.4 we had problems. Maybe it was just the discovery software
> being stupid, but we ended up putting every device into the discovery
> seed file.
Mmmh. Unless something weird comes into play here, I can't see how
uRPF could interfere if none of the links you have shown (core<->dist<->
access) has uRPF enabled...
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
pgp11daakN5Yc.pgp
Description: PGP signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
