On 31 May 2018 at 12:10, Simon Woodhead <[email protected]> wrote:
> Exactly that Sandy. Thanks :) > > Loose uRPF checks for a route back to the source of any packet arriving on > an interface it is configured on, but in most implementations if that route > back is actually to null it will drop the packet. > > We used this for years on our old Brocade platform and it was really handy > being able to inject anything at the ExaBGP level to block both source and > destination across the entire edge. We have a feature request in for Arista > as loose uRPF doesn’t work the same way to make this useful; I would expect > (but don’t know) JunOS to be relatively sane > "Sane" is questionable (ish). S/RTBH using rpf loose mode works on junos (since 12.1), as long as you enable it (discarding if NH=discard for src is not default behavior); set forwarding-options rpf-loose-mode-discard family (inet|inet6) The main caveat is rather with using loose mode at all, or specifically in the presence of a default route, the behavior of which is different between DPC->MPC, and even if MPC is "the good one" then you may or may not get exactly what you want/expected. But at least it is documented (it's a lot of words to say "don't use loose mode on an interface if you need/use a default pointed out that interface"); https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-unicast-rpf.html The KB is clearer. https://kb.juniper.net/InfoCenter/index?page=content&id=KB24356 And David Roy shows the complete matrix of what you get; http://junosandme.net/article-understanding-ipv4-urpf-on-junos-dpc-mpc-120354926.html If that doesn't work for Paul, the answer to "how would I turn BGP routes into something I can filter (without scripting)" would be SCU (more/different caveats apply - good luck). Euan
