rp-filter=loose, including default-route or no?

RouterOS Forwarding Protocols
1

I am terribly sorry if this has been answered before, but i could not find an answer via search or google. Documentation on wiki lacking answer.

/ ip settings rp-filter=loose

Does that match on default-route (0.0.0.0/0) also or only more specific routes?

RFC3704 allows for two different “loose” variants which also does not help to explain based on the wiki.

   o  Loose Reverse Path Forwarding
   o  Loose Reverse Path Forwarding ignoring default routes

The place i want to use it is on a full tabled BGP router (trying to avoid firewall rules for forwarding, trying to achieve fast-path).

When should I turn off loose TCP tracking?
2

RP-filter is security feature AFAIK. And it’s looking at source address and best specific route for it in order to process this packet.

strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

I believe that loose mode include default route.

3

This is exactly why i’m asking. Hoping someone with definitive knowledge will chime in.

4

I believe you are right. After testing i found that Loose mode with default-route in route table means no real rp-filtering is done. It is possible that it goes through the motions but will always find a route and so will always allow it. How useful that is, is debatable. How you are able to propagate default-route through BGP/IGP from upstream is then also unknown factor.

5

UP

I just tested the behaviour of RP loose mode and it considers default route as normal route. In case default route is installed, loose mode has no sense.
I tried the same on Arista switch and they correctly ignore the default route.
Who wants to join support ticket, PM to me.

SUP-69814

6

I can see your point, but the default route is a connected route too (and potentially dynamically changing). But even if Mikrotik definition is “wrong”, “fp-filter=loose” has included the default route for a very long time, and changing functionality is risky in V6 – since there may be users with fp-filter=loose that expect the current behavor (even if it’s potentially wrong).

The firewall can do same functionality is likely why there isn’t too much interest. I guess fp-filter=loose might be slightly more performant than using the firewall to implement the same rules, but dunno.

I’d imagine V7 be same, but you could try it that and confirm same behavior?

7

I am not aware of parameter in linux that allows to ignore default route. rp_filter allows to set only disable,strict,loose. There is no other option, so it is what it is.