Login
- Table of Contents
-
- 09 Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Port security configuration
- 06-Password control configuration
- 07-Public key management
- 08-PKI configuration
- 09-IPsec configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-IP source guard configuration
- 13-ARP attack protection configuration
- 14-MFF configuration
- 15-uRPF configuration
- 16-Crypto engine configuration
- 17-FIPS configuration
- 18-Attack detection and prevention configuration
- 19-ND attack defense configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-uRPF configuration | 149.47 KB |
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Source address spoofing attack
As shown in Figure 1, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
· Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets. Strict uRPF is often deployed between a PE and a CE.
· Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF operation
Figure 2 shows how uRPF works.
1. uRPF checks source address validity:
¡ uRPF discards packets with a broadcast source address.
¡ uRPF discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)
¡ uRPF proceeds to step 2 for other packets.
2. uRPF checks whether the source address matches a FIB entry:
¡ If yes, uRPF proceeds to step 3.
¡ If no, uRPF proceeds to step 6.
3. uRPF checks whether the check mode is loose:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF checks whether the matching route is a direct route:
- If yes, uRPF proceeds to step 5.
- If no, uRPF proceeds to step 4.
4. uRPF checks whether the receiving interface matches the output interface of the matching FIB entry:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF proceeds to step 9.
5. uRPF checks whether the source IP address matches an ARP entry:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF proceeds to step 9.
6. uRPF checks whether the FIB table has a default route:
¡ If yes, uRPF proceeds to step 7.
¡ If no, uRPF proceeds to step 9.
7. uRPF checks whether the check mode is loose:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF checks whether the output interface of the default route matches the receiving interface of the packet:
- If yes, uRPF proceeds to step 8.
- If no, uRPF proceeds to step 9.
8. The packet passes the check and is forwarded.
9. The packet is discarded.
|
|
NOTE: uRPF does not check multicast packets. |
Network application
As shown in Figure 3, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.
Configuring uRPF
When you configure uRPF, follow these restrictions and guidelines:
· Global uRPF configuration takes effect on both IPv4 and IPv6 routes.
· uRPF checks only incoming packets on an interface.
· After you enable the uRPF function on the switch, the routing table size might decrease by half.
· If the number of routes exceeds half the routing table size of the switch, the uRPF function cannot be enabled to avoid loss of routes and packets.
To enable uRPF globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable uRPF globally. |
ip urpf { loose | strict } |
By default, uRPF is disabled. |
Displaying and maintaining uRPF
Execute display commands in any view.
|
Task |
Command |
|
Display uRPF configuration. |
display ip urpf [ slot slot-number ] |
uRPF configuration example
Network requirements
As shown in Figure 4, a client (Switch A) directly connects to an ISP switch (Switch B).
Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks.
Configuration procedure
1. Enable strict uRPF check on Switch A.
<SwitchA> system-view
[SwitchA] ip urpf strict
2. Enable strict uRPF check on Switch B.
<SwitchB> system-view
[SwitchB] ip urpf strict
