North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
who is using RPF on peers?
Almost a month ago, certain nets of ours (AS10368) lost connectivity to a major provider. The problem was tracked down to the major provider having enabled RPF, or "ip verify unicast reverse-path" in IOS-speak, on one of their private peers with one of our upstreams to whom we don't announce those nets. At the time, I decided not to post a warning to nanog as it appeared to be a mistake and an isolated case. Apparently, the same major provider had/has RPF enabled on other peering interfaces also and one more instances were tracked down in the last 24 hours. Enabling RPF on the "backbone" is not a good idea as long as path-asymmetry exists -- unless you are trying to send a message to an unresponsive peer who is sending you source-spoofed packets. Please take this as an appeal to double-check your use of RPF and restrict it to the "edges" of your network. Thanks, Adi