Mailing List Archive

urpf - evil?
Hello

While working on my ACLs I noticed that I was successful in blocking some
apparently spoofed IPv6 traffic. The destination was Facebook and the
source was IPv6 range belonging to a mobile operator that sells 4G Wifi
router based solutions.

So thinking about how and why a few customers end up sending packets to our
network with the wrong source, I came up with a theory (not validated):
What if the customer connects his 4G Wifi router to one of the LAN ports of
our CPE (or visa versa)? His computer would then pick up an IPv6 range from
both ISPs along with two default routes. But only one default route would
be used, and in this case that was apparently the default route going to
our network. But still his computer might use the IPv6 address from the
other ISP as source and therefore he ends up "spoofing" by sending that to
us. We deliver the packets to Facebook and I assume Facebook will route the
replies just fine through the other ISP.

Now the thing is that my impression is that it actually works so long I do
not actively block it with uRPF or ACLs on our edge. I have learned that
spoofing is evil and I should be blocking this - but why am I sabotaging
something that apparently is doing just fine at some customers?

Regards,

Baldur
Re: urpf - evil? [ In reply to ]
Hi Baldur,

You are at risk of facilitating spoofed and/or reflection DDoS attacks if you don't implement BCP38.. that's why uRPF exists. :)

Best regards,
Martijn
________________________________
From: NANOG <nanog-bounces+martijnschmidt=i3d.net@nanog.org> on behalf of Baldur Norddahl <baldur.norddahl@gmail.com>
Sent: 30 October 2020 20:29
To: nanog@nanog.org <nanog@nanog.org>
Subject: urpf - evil?

Hello

While working on my ACLs I noticed that I was successful in blocking some apparently spoofed IPv6 traffic. The destination was Facebook and the source was IPv6 range belonging to a mobile operator that sells 4G Wifi router based solutions.

So thinking about how and why a few customers end up sending packets to our network with the wrong source, I came up with a theory (not validated): What if the customer connects his 4G Wifi router to one of the LAN ports of our CPE (or visa versa)? His computer would then pick up an IPv6 range from both ISPs along with two default routes. But only one default route would be used, and in this case that was apparently the default route going to our network. But still his computer might use the IPv6 address from the other ISP as source and therefore he ends up "spoofing" by sending that to us. We deliver the packets to Facebook and I assume Facebook will route the replies just fine through the other ISP.

Now the thing is that my impression is that it actually works so long I do not actively block it with uRPF or ACLs on our edge. I have learned that spoofing is evil and I should be blocking this - but why am I sabotaging something that apparently is doing just fine at some customers?

Regards,

Baldur