Login
- Table of Contents
-
- 03-Policies
- 01-Security policy
- 02-Attack defense
- 03-Connection limit
- 04-uRPF
- 05-NAT
- 06-AFT
- 07-Application audit
- 08-Bandwidth management
- 09-Load balancing common configuration
- 10-Server load balancing
- 11-Outbound link load balancing
- 12-Inbound link load balancing
- 13-Transparent DNS proxy
- 14-Application proxy
- 15-NetShare control
- 16-Security policy hit analysis
- 17-Security policy redundancy analysis
- 18-Global load balancing
- 19-IP reputation
- 20-NAT66
- 21-Server connection detection
- 22-Security policy optimization
- 23-Server load balancing
- 24-Load balancing common configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-uRPF | 106.78 KB |
uRPF
This help contains the following topics:
Introduction
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Source address spoofing attack
As shown in Figure 1, an attacker on Device A sends the server (Device B) requests with a forged source IP address 2.2.2.1 at a high rate. Device B sends response packets to IP address 2.2.2.1 (Device C). Consequently, both Device B and Device C are attacked. If the administrator disconnects Device C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
Strict uRPF check
To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.
Strict uRPF is often deployed between a PE and a CE.
Loose uRPF check
To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.
Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF extended functions
Using the default route in uRPF check
When a default route exists, all packets that fail to match a specific FIB entry match the default route during uRPF check and thus are permitted to pass. To avoid this situation, you can disable uRPF from using any default route to discard such packets. If you allow using the default route, uRPF permits packets that only match the default route.
By default, uRPF discards packets that can only match a default route. Typically, you do not need to use the default route for uRPF check on a PE device because it has no default route pointing to the CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, use the default route for uRPF check.
Link layer check (only supported by IPv4 uRPF)
Strict uRPF check can further perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface connects a large number of PCs.
Loose uRPF does not support link layer check.
Using an ACL for uRPF check exemption
To identify specific packets as valid packets, you can use an ACL to match these packets. Even if the packets do not pass uRPF check, they are still forwarded.
uRPF operation
IPv4 uRPF operation
The following figure shows how IPv4 uRPF works.
1. uRPF checks address validity:
¡ uRPF permits a packet with a multicast destination address.
¡ For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) uRPF proceeds to step 7 if the packet has a non-broadcast destination address.
¡ uRPF proceeds to step 2 for other packets.
2. uRPF checks whether the source address matches a unicast route:
¡ If yes, uRPF proceeds to step 3.
¡ If no, uRPF proceeds to step 7. A non-unicast source address matches a non-unicast route.
3. uRPF checks whether the matching route is to the host itself:
¡ If yes, the output interface of the matching route is an InLoop interface. uRPF checks whether the receiving interface of the packet is an InLoop interface. If yes, it does not check the packet. If no, it proceeds to step 7.
¡ If no, uRPF proceeds to step 4.
4. uRPF checks whether the matching route is a default route:
¡ If yes, uRPF checks whether the default route is allowed. If yes, it proceeds to step 5. If no, it proceeds to step 7.
¡ If no, uRPF proceeds to step 5.
5. uRPF checks whether the receiving interface matches the output interface of the matching FIB entry:
¡ If yes, uRPF proceeds to step 6.
¡ If no, uRPF checks whether the check mode is loose. If yes, it proceeds to step 7. If no, it proceeds to step 6.
6. uRPF checks whether link layer check is configured:
¡ If no, the packet passes the check.
¡ If yes, uRPF uses the next-hop address of the FIB entry to look up the ARP table for a matching entry. Then it checks whether the MAC address of the matching ARP entry is identical with the source MAC address of the packet. If yes, the packet passes the check. If no, uRPF proceeds to step 7.
7. uRPF checks whether the packet is permitted by the ACL:
¡ If yes, the packet is forwarded. Such a packet is suppressed from being dropped.
¡ If no, the packet is discarded.
IPv6 uRPF operation
The following figure shows how IPv6 uRPF works.
Figure 3 IPv6 uRPF work flow
1. IPv6 uRPF checks whether the received packet carries a multicast destination address:
¡ If yes, IPv6 uRPF permits the packet.
¡ If no, IPv6 uRPF proceeds to step 2.
2. IPv6 uRPF checks whether the source address matches a unicast route:
¡ If yes, IPv6 uRPF proceeds to step 3.
¡ If no, IPv6 uRPF proceeds to step 6. A non-unicast source address matches a non-unicast route.
3. IPv6 uRPF checks whether the matching route is to the host itself:
¡ If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface. If yes, IPv6 uRPF permits the packet. If no, IPv6 uRPF proceeds to step 6. If the source address is a link-local address and is the receiving interface address, also proceeds to step 6.
¡ If no, IPv6 uRPF proceeds to step 4.
4. IPv6 uRPF checks whether the receiving interface matches the output interface of the matching FIB entry:
¡ If yes, IPv6 uRPF proceeds to step 5.
¡ If no, IPv6 uRPF checks whether the check mode is loose. If yes, it proceeds to step 5. If no, it proceeds to step 6.
5. IPv6 uRPF checks whether the matching route is a default route:
¡ If yes, IPv6 uRPF checks whether the default route is allowed. If yes, the packet is forwarded. If no, IPv6 uRPF proceeds to step 6.
¡ If no, the packet is forwarded.
6. IPv6 uRPF checks whether the packet is permitted by the IPv6 ACL:
¡ If yes, the packet is forwarded. Such a packet is suppressed from being dropped.
¡ If no, the packet is discarded.
uRPF network application
strict uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs.
For special packets or users, you can configure ACLs.
Restrictions and guidelines
Do not select Allow using default route for uRPF check for loose uRPF check. Otherwise, uRPF might fail to work.
Configure uRPF
Configure IPv4 uRPF
Procedure
1. Click the Policies tab.
2. In the navigation pane, select Attack defense > uRPF > IPv4 uRPF.
3. Click Create.
4. Configure IPv4 uRPF.
Table 1 IPv4 uRPF configuration items
|
Item |
Description |
|
Security zone |
Select a security zone to which IPv4 uRPF is applied. The list contains the default security zone and security zones that have been configured on the Network > Security Zones page. |
|
Check mode |
· Strict—Strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry. · Loose—Loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. |
|
Check exemption |
Select an ACL that suppresses packet dropping. You can select an existing IPv4 ACL or create a new one. The created ACL is displayed on the Objects > ACLs > IPv4 ACLs page. |
|
Allow using default route for uRPF check |
Select whether to allow using the default route for uRPF check. |
|
Enable link layer check |
Select whether to enable link layer check. |
5. Click OK.
Configure IPv6 uRPF
Procedure
1. Click the Policies tab.
2. In the navigation pane, select Attack defense > uRPF > IPv6 uRPF.
3. Click Create.
4. Configure IPv6 uRPF.
Table 2 IPv6 uRPF configuration items
|
Item |
Description |
|
Security zone |
Select a security zone to which IPv6 uRPF is applied. The list contains the default security zone and security zones that have been configured on the Network > Security Zones page. |
|
Check mode |
· Strict—Strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry. · Loose—Loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry. |
|
Check exemption |
Select an ACL that suppresses packet dropping. You can select an existing IPv6 ACL or create a new one. The created ACL is displayed on the Objects > ACLs > IPv6 ACLs page. |
|
Allow using default route for uRPF check |
Select whether to allow using the default route for uRPF check. |
5. Click OK.
