urpf - evil?


While working on my ACLs I noticed that I was successful in blocking some apparently spoofed IPv6 traffic. The destination was Facebook and the source was IPv6 range belonging to a mobile operator that sells 4G Wifi router based solutions.

So thinking about how and why a few customers end up sending packets to our network with the wrong source, I came up with a theory (not validated): What if the customer connects his 4G Wifi router to one of the LAN ports of our CPE (or visa versa)? His computer would then pick up an IPv6 range from both ISPs along with two default routes. But only one default route would be used, and in this case that was apparently the default route going to our network. But still his computer might use the IPv6 address from the other ISP as source and therefore he ends up “spoofing” by sending that to us. We deliver the packets to Facebook and I assume Facebook will route the replies just fine through the other ISP.

Now the thing is that my impression is that it actually works so long I do not actively block it with uRPF or ACLs on our edge. I have learned that spoofing is evil and I should be blocking this - but why am I sabotaging something that apparently is doing just fine at some customers?



Hi Baldur,

You are at risk of facilitating spoofed and/or reflection DDoS attacks if you don’t implement BCP38… that’s why uRPF exists. :slight_smile:

Best regards,