uRPF isn't easy to implement on multi-homed networks. uRPF works by making sure that the reverse of incoming traffic would be routed out the interface it's seen to arrive on. Its an implementation of BCP38 anti-spoofing that was developed based on the routers knowledge about connected networks. So for example if traffic arrives on eth0 from 192.168.1.5 but 192.168.1.0/24 is directly connected to eth1 then eth0 would reject the traffic. It's a bit more complicated than that on a large network, but you get the idea.
In “loose ” mode, each incoming packet's source IP address is tested against the FIB. The packet is dropped only if the source IP address is not reachable via any interface on that router. This is the safest, but also the least effective tool, especially in the IPv4 world, since soon almost every IP range will be in use due to the depletion of free address pools. Anything we choose to null will either get null'd by the SOC using flowspec at the edge, or if it's null'd by the NOC or a customer, it will get propogated throughout the network so will in turn be null'd at the edge
Since X has multiple connections to the outside world and BGP is automatically rerouting traffic when failures occur it's perfectly legitimate that traffic may arrive on X via an interface that the our routing table would not have sent the traffic out on, which is why uPRF strict is not used. You may see similar issues when performing trace routes during routing table changes.
Reverse Path Filtering and Access lists are used on X to check spoofing of external addresses. If external providers report X addresses as sources which under investigation proves incorrect, then that provider may not be using RPF and is suffering spoofed sources.
There are best practices for restricting IP send ranges in Router Access Lists. BCP38 https://tools.ietf.org/html/bcp38 advises to restrict ranges on ingress to only send source link ranges Access list technologies exist for routers that utilise commands speicfically for the purpose of anti-spoofing:
# ip access-list extended anti-spoof # deny ip 10.0.0.0 0.255.255.255 any # deny ip 172.16.0.0 0.15.255.255 any # deny ip 192.168.0.0 0.0.255.255 any # deny ip 224.0.0.0 31.255.255.255 any # deny ip 127.0.0.0 0.255.255.255 any # Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any # deny ip <your company subnet> <wildcard mask of your company subnet> any #deny outsiders using internal address
The X network drops traffic at the border that is unreachable by no other interface than null, which is a met condition that no route exists in the ISP network, so no interface/route matches. Spoofed traffic has no matching route/interface and therefore this IP traffic is dropped.