A short story of a broken strict uRPF implementation

Benedikt Neuffer

Playlists: 'denog11' videos starting here / audio / related events

At KIT we bought multilayer switches which use NDP and ARP cache information for strict uRPF. This talk shows you how this implementation breaks things.

I will start with a short summary how strict uRPF according to RFC3704 works and how it can be used to prevent customers from spoofing source addresses.
Afterwards I'll show a implementation of strict uRPF, which only forwards packets of hosts if the IP address is already learned by NDP or ARP.
I will show, how this implementation prevents at least current macOS and GNU/Linux systems from connecting to IPv6 addresses outside of the broadcast domain because they do not send unsolicited neighbor solicitations. Furthermore i'll show how this implementation also breaks load balancing setups based on MAC Address Translation and Direct Server Return.