Login
- Table of Contents
-
- 09-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-User profile configuration
- 09-Password control configuration
- 10-Keychain configuration
- 11-Public key management
- 12-PKI configuration
- 13-IPsec configuration
- 14-SSH configuration
- 15-SSL configuration
- 16-Attack detection and prevention configuration
- 17-TCP attack prevention configuration
- 18-IP source guard configuration
- 19-ARP attack protection configuration
- 20-ND attack defense configuration
- 21-uRPF configuration
- 22-MFF configuration
- 23-Crypto engine configuration
- 24-FIPS configuration
- 25-MACsec configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-uRPF configuration | 162.10 KB |
Configuring uRPF
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Source address spoofing attack
As shown in Figure 1, an attacker on Switch A sends the server (Switch B) requests with a forged source IP address 2.2.2.1 at a high rate. Switch B sends response packets to IP address 2.2.2.1 (Switch C). Consequently, both Switch B and Switch C are attacked. If the administrator disconnects Switch C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
· Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets. Strict uRPF is often deployed between a PE and a CE.
· Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF operation
uRPF does not check multicast packets.
Figure 2 shows how uRPF works.
1. uRPF checks source address validity:
¡ uRPF discards packets with a broadcast source address.
¡ uRPF discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)
¡ uRPF proceeds to step 2 for other packets.
2. uRPF checks whether the source address matches a FIB entry:
¡ If yes, uRPF proceeds to step 3.
¡ If no, uRPF proceeds to step 6.
3. uRPF checks whether the check mode is loose:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF checks whether the matching route is a direct route:
- If yes, uRPF proceeds to step 5.
- If no, uRPF proceeds to step 4.
4. uRPF checks whether the receiving interface matches the output interface of the matching FIB entry:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF proceeds to step 9.
5. uRPF checks whether the source IP address matches an ARP entry:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF proceeds to step 9.
6. uRPF checks whether the FIB table has a default route:
¡ If yes, uRPF proceeds to step 7.
¡ If no, uRPF proceeds to step 9.
7. uRPF checks whether the check mode is loose:
¡ If yes, uRPF proceeds to step 8.
¡ If no, uRPF checks whether the output interface of the default route matches the receiving interface of the packet:
- If yes, uRPF proceeds to step 8.
- If no, uRPF proceeds to step 9.
8. The packet passes the check and is forwarded.
9. The packet is discarded.
Network application
As shown in Figure 3, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.
Enabling uRPF
uRPF checks only incoming packets on interfaces.
Follow these guidelines when you enable uRPF:
· After you enable the uRPF feature on the switch, the routing table size might decrease by half.
· If the number of routes exceeds half the routing table size of the switch, the uRPF feature cannot be enabled to avoid loss of routes and packets.
· Do not use strict uRPF if ECMP routing is configured in the network. Service packets that travel along ECMP routes cannot pass the strict uRPF check and will be dropped.
To enable uRPF globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable uRPF globally. |
ip urpf { loose | strict } |
By default, uRPF is disabled. |
Displaying and maintaining uRPF
Execute display commands in any view.
|
Task |
Command |
|
Display uRPF configuration. |
display ip urpf [ slot slot-number ] |
Global uRPF configuration example
Network requirements
As shown in Figure 4, a client (Switch A) directly connects to an ISP switch (Switch B).
To prevent source address spoofing attacks, perform the following tasks:
· Enable strict uRPF check on Switch A.
· Enable strict uRPF check on Switch B.
Configuration procedure
1. Enable strict uRPF check on Switch A.
<SwitchA> system-view
[SwitchA] ip urpf strict
2. Enable strict uRPF check on Switch B.
<SwitchB> system-view
[SwitchB] ip urpf strict
