Re: [External] Re: uPRF strict more

[Andrew Smith <andrew.william.smith () gmail com>]

In Ciscoland, you do have to explicitly state that the default route is
eligible for URPF verification, otherwise you'll get unexpected traffic
drops.

ip verify unicast source reachable-via any allow-default


And yes, it's main purpose is for implementing source-based
remotely-triggered blackhole (SRTBH).

On Thu, Sep 30, 2021 at 10:58 AM Hunter Fuller via NANOG <nanog () nanog org>
wrote:

> On Thu, Sep 30, 2021 at 12:08 AM Mark Tinka <mark@tinka.africa> wrote:
> > If you don't plan to run a full BGP table on a device, don't enable
> uRPF, even loose-mode.
>
> At least in Ciscoland, loose URPF checks will pass if you have a
> default route. So I do not think it could result in inadvertent
> blackholing of traffic.
>
> What it does allow is for *deliberate* blackholing for traffic; if you
> null-route a prefix, you now block incoming traffic from that subnet
> as well. This can be useful and it is how we are using URPF.
>
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH M-1A
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering