Job, Marco, Brian: Thanks for your comments (back in November). Version -01 of this draft is available at: https://tools.ietf.org/html/draft-sriram-opsec-urpf-improvements-01
In response to your comments from when this was discussed (November 2016) in the GROW meeting at IETF-97 and on the GROW/OPSEC lists, https://www.ietf.org/mail-archive/web/grow/current/msg03716.html (Marco) https://www.ietf.org/mail-archive/web/grow/current/msg03713.html (Job) https://www.ietf.org/mail-archive/web/grow/current/msg03715.html (Brian) I have added a new Section 3.2 “Operational Recommendations”. Your examples involved not announcing any routes at all to one or more upstreams (transit providers). However, feasible-path uRPF relies “on consistent route advertisements (i.e., the same prefix(es), through all the paths) propagating to all the routers performing Feasible RPF checking.” (BCP 84) The proposed enhanced feasible-path uRPF requires less and still performs better relative to feasible-path uRPF given the same scenario. The corresponding guidelines are presented and discussed in the new Section 3.2. I have also included a version of your example in the discussion. Thanks! Further comments welcome. Sriram _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
