Hi, On Wed, Apr 18, 2018 at 08:21:48AM +1200, Barry Greene wrote: > Then you have this statement "It is well known that this method has > limitations when networks are multi-homed and there is asymmetric routing of > packets.??? That is false. BCP84 is wrong. uRPF has been deployed with > multi-homed downstream customers. It work _if_ you configure it correctly > (i.e. use BGP Weights).
... and *if* your customer announces all their prefixes symmetrically to
all upstreams...
So generally speaking, for multihoming BGP customers, there are too many
failure modes to rely on uRPF - but it's fairly easily remediated if your
tool that deploys BGP prefix-filters also builds matching interface ACLs
with it. So "whatever prefix the customer *might* announce, we'll accept
the packet".
Of course this assumes that BGP downstreams are actually filtered, but
this particular source of depression is not really in scope :-)
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
signature.asc
Description: PGP signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
