Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Password Control Configuration
- 07-Public Key Configuration
- 08-IPsec Configuration
- 09-SSH Configuration
- 10-Blacklist Configuration
- 11-TCP and ICMP Attack Protection Configuration
- 12-IP Source Guard Configuration
- 13-ARP Attack Protection Configuration
- 14-ND Attack Defense Configuration
- 15-URPF Configuration
- 16-PKI Configuration
- 17-SSL Configuration
- 18-FIPS Configuration
- 19-Attack Detection and Protection Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-URPF Configuration | 96.2 KB |
Contents
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with forged source addresses to access a system that uses IP-address-based authentication in the name of authorized users, or even the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Attack based on source address spoofing
As shown in Figure 1, an attacker on Switch A sends the server (Switch B) requests with a forged source IP address 2.2.2.1, and Switch B sends response packets to IP address 2.2.2.1 (Switch C). Consequently, both Switch B and Switch C are attacked. URPF can prevent such attacks.
URPF check modes
URPF supports two check modes: strict and loose. The switch supports the strict mode only.
· Strict URPF—For a packet to pass strict URPF check, the source address and receiving interface of the packet must match the destination address and output interface of a FIB entry. In some scenarios such as asymmetrical routing, strict URPF will discard valid packets. Strict URPF is often deployed between an ISP and the connected users.
· Loose URPF—For a packet to pass loose URPF check, the source address of the packet must match the destination address of a FIB entry. Loose URPF can avoid discarding valid packets, but might let go attack packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
URPF link layer check
Strict URPF check can perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict URPF check.
Link layer check is applicable to the scenario where a Layer 3 Ethernet interface connects to a large number of users.
How URPF works
URPF does not check multicast packets.
URPF works as follows:
1. If the source IP address of an incoming packet is found in the FIB table:
URPF does a reverse route lookup for routes to the source address of the packet. If at least one outgoing interface of such a route matches the receiving interface, the packet passes the check. Otherwise, the packet is discarded. The reverse route lookup refers to searching the outgoing interface whose destination IP address is the source IP address of the packet.
2. If the packet has its source IP address found in the FIB table and passes the check, URPF starts the link layer check:
¡ If the link-check keyword is not configured, the packet passes the check and is forwarded.
¡ If the link-check keyword is configured, URPF compares the MAC address of the next hop in the FIB entry with the source MAC address of the packet. If they are the same, the packet passes the check. Otherwise, the packet is rejected.
Configuring URPF
When you configure URPF, follow these guidelines:
· The switch does not support URPF check where more than eight ECMP routes exist. For more information about ECMP routing, see Layer 3—IP Routing Configuration Guide.
· The link layer check feature (configured by using the link-check keyword) does not support ECMP routing. If ECMP routes exist, disable the link layer check feature.
· URPF check takes effect only on the VLAN interfaces.
· URPF only checks incoming packets on an interface.
· When the system operates in standard mode, do not configure URPF on a VLAN interface bound to a VPN instance that has no reserved VLAN configured. For more information about system operating modes, see Fundamentals Configuration Guide. For more information about the reserved VLAN, see MPLS Configuration Guide.
To configure URPF:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable URPF check. |
ip urpf strict [ link-check ] |
URPF check is disabled by default. |
URPF configuration example
By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command.
Network requirements
As shown in Figure 2, a client (Switch A) directly connects to the ISP switch (Switch B). Enable strict URPF check on VLAN-interface 10 of Switch B to allow packets whose source addresses match ACL 2010 to pass. Enable strict URPF check on VLAN-interface 10 of Switch A to allow use of the default route for URPF check.
Configuration procedure
1. Configure Switch B:
# Create VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
# Specify the IP address for VLAN-interface 10.
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] ip address 1.1.1.2 255.255.255.0
# Enable strict URPF check on VLAN-interface 10.
[SwitchB-Vlan-interface10] ip urpf strict
2. Configure Switch A:
# Create VLAN 10.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
# Specify the IP address for VLAN-interface 10.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 1.1.1.1 255.255.255.0
# Enable strict URPF check on VLAN-interface 10.
[SwitchA-Vlan-interface10] ip urpf strict
