Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-uRPF configuration | 102.21 KB |
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Source address spoofing attack
As shown in Figure 1, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes. The device supports only the strict mode.
Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (such as asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic), strict uRPF might discard valid packets. Strict uRPF is often deployed between a PE and a CE.
Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
Features
Strict uRPF check can perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface connects a large number of PCs.
uRPF operation
uRPF does not check multicast packets.
uRPF works as follows:
1. If the source IP address of an incoming packet is found in the FIB table:
uRPF does a reverse route lookup for routes to the source address of the packet. If at least one outgoing interface of such a route matches the receiving interface, the packet passes the check. Otherwise, the packet is discarded. The reverse route lookup refers to searching the outgoing interface whose destination IP address is the source IP address of the packet.
2. If the packet has its source IP address found in the FIB table and passes the check, uRPF starts the link layer check:
¡ If the link-check keyword is not configured, the packet passes the check and is forwarded normally.
¡ If the link-check keyword is configured, uRPF compares the MAC address of the next hop in the FIB entry with the source MAC address of the packet. If they are the same, the packet passes the check. Otherwise, the packet is rejected.
Configuring uRPF
Follow these guidelines when you configure uRPF:
· The device does not support uRPF check on where more than eight ECMP routes exist. For more information about ECMP routing, see Layer 3—IP Routing Configuration Guide.
· The link layer check feature does not support ECMP routing. If ECMP routes exist, disable the link layer check feature.
· uRPF check takes effect only on the VLAN interfaces.
· uRPF checks only incoming packets on an interface.
· You can use the display ip interface command to view statistics about packets discarded by uRPF (displayed as "Drops" and "Suppressed drops").
To enable uRPF on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
1. Enter interface view. |
interface interface-type interface-number |
N/A |
|
2. Enable uRPF on the interface. |
ip urpf strict [ link-check ] |
By default, uRPF is disabled. |
Displaying and maintaining uRPF
Execute display commands in any view.
|
Task |
Command |
|
Display uRPF configuration (in standalone mode). |
display ip urpf [ interface interface-type interface-number ] [ slot slot-number ] |
|
Display uRPF configuration (in IRF mode). |
display ip urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
uRPF configuration example
By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command.
Network requirements
As shown in Figure 2, configure strict uRPF check on VLAN-interface 10 of Switch B and permit packets from network 10.1.1.0/24.
Configure strict uRPF check on VLAN-interface 10 of Switch A and allow using the default route for uRPF check.
Configuration procedure
1. Configure Switch B:
# Create VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] quit
# Specify the IP address of VLAN-interface 10.
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] ip address 1.1.1.2 255.255.255.0
# Configure strict uRPF check on VLAN-interface 10.
[SwitchB-Vlan-interface10] ip urpf strict
2. Configure Switch A:
# Create VLAN 10.
<SwitchA> system view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
# Specify the IP address of VLAN-interface 10.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 1.1.1.1 255.255.255.0
# Configure strict uRPF check on VLAN-interface 10.
[SwitchA-Vlan-interface10] ip urpf strict
