Login

WelcomeuserNew H3C退出

English

Contact Sales Online Exhibition Center Resource Center Become a Partner
Back

09-Security Configuration Guide

HomeSupportSwitchesH3C S5850 Switch SeriesConfigure & DeployConfiguration GuidesH3C S5850 Switch Series Configuration Guides-Release 8005-6W10009-Security Configuration Guide
Table of Contents
Related Documents
21-uRPF configuration
Title Size Download
21-uRPF configuration 138.84 KB

Contents

Configuring uRPF· 1

About uRPF· 1

uRPF application scenario· 1

uRPF check modes· 1

Network application· 1

Restrictions and guidelines: uRPF configuration· 2

Enabling uRPF globally· 2

Display and maintenance commands for uRPF· 2

Configuring IPv6 uRPF· 4

About IPv6 uRPF· 4

IPv6 uRPF application scenario· 4

IPv6 uRPF check modes· 4

Network application· 5

Restrictions and guidelines: IPv6 uRPF configuration· 5

Enabling IPv6 uRPF globally· 5

Display and maintenance commands for IPv6 uRPF· 6

 

Configuring uRPF

About uRPF

Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.

uRPF application scenario

Attackers send packets with a forged source address to access a system that uses IPv4-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 1 Source address spoofing attack

As shown in Figure 1, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate. Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.

uRPF check modes

uRPF supports strict and loose modes.

Strict uRPF check

To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.

Strict uRPF is often deployed between a PE and a CE.

Loose uRPF check

To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.

Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.

Network application

As shown in Figure 2, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.

Figure 2 Network diagram

Restrictions and guidelines: uRPF configuration

Do not use strict uRPF if ECMP routing is available in the network. Service packets that travel along ECMP routes cannot pass the strict uRPF check and will be dropped.

Enabling uRPF globally

Restrictions and guidelines

Global uRPF takes effect on all interfaces of the device.

Procedure

1.     Enter system view.

system-view

2.     Enable uRPF globally.

ip urpf { loose | strict }

By default, uRPF is disabled.

Display and maintenance commands for uRPF

Execute display commands in any view.

 

Task

Command

Display uRPF configuration.

display ip urpf [ slot slot-number ]


Configuring IPv6 uRPF

About IPv6 uRPF

IPv6 Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.

IPv6 uRPF application scenario

Attackers send packets with a forged source address to access a system that uses IPv6-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 3 Source address spoofing attack

 

As shown in Figure 3, an attacker on Router A sends the server (Router B) requests with a forged source IPv6 address 2000::1 at a high rate. Router B sends response packets to IPv6 address 2000::1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

IPv6 uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, IPv6 uRPF considers it a spoofing attack and discards the packet.

IPv6 uRPF check modes

IPv6 uRPF supports strict and loose check modes.

Strict IPv6 uRPF check

To pass strict IPv6 uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of an IPv6 FIB entry. In some scenarios (for example, asymmetrical routing), strict IPv6 uRPF might discard valid packets.

Strict IPv6 uRPF is often deployed between a PE and a CE.

Loose IPv6 uRPF check

To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry. Loose IPv6 uRPF can avoid discarding valid packets, but might let go attack packets.

Loose IPv6 uRPF is often deployed between ISPs, especially in asymmetrical routing.

Network application

As shown in Figure 4, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs.

Figure 4 Network diagram

 

 

Restrictions and guidelines: IPv6 uRPF configuration

Do not use strict IPv6 uRPF if ECMP routing is available in the network. Service packets that travel along ECMP routes cannot pass the strict uRPF check and will be dropped.

Enabling IPv6 uRPF globally

Restrictions and guidelines

Global IPv6 uRPF takes effect on all interfaces of the device.

Procedure

1.     Enter system view.

system-view

2.     Enable global IPv6 uRPF.

ipv6 urpf { loose | strict }

By default, IPv6 uRPF is disabled.

Display and maintenance commands for IPv6 uRPF

Execute display commands in any view.

 

Task

Command

Display IPv6 uRPF configuration.

display ipv6 urpf  [ slot slot-number ]

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Intelligent Storage
  • Security
  • SMB Products
  • Intelligent Terminal Products

Cloud & AI

H3C Workspace Cloud Desktop

Learn more

Intelligent Connection

Intelligent Computing

H3C UniServer R4900 G5 Server

Learn more

Intelligent Storage

Security

Situational Awareness

Learn more

Zero Trust Security Solution

Learn more

SMB Products

Intelligent Terminal Products

Industry Solutions

The Government Cloud “1+N+N+1” Innovation Model Becomes a Template

Learn more

Strong Support for the G20 Hangzhou Summit

Learn more
  • Product Support Services
  • Technical Service Solutions
All Services

Product Support Services

Technical Service Solutions

  • Resource Center
  • Policy
  • Online Help
  • Technical Blogs
All Support

Resource Center

Policy

Online Help

Technical Blogs

Training & Certification

  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Partner Business Management

Service Business

  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us

Profile

News & Events

Online Exhibition Center

Contact Us

新华三官网