Attackers send packets with a forged source address to access a system that uses IPv4-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 1 Source address spoofing attack

‌

As shown in Figure 1, an attacker on Device A sends the server (Device B) requests with a forged source IP address 2.2.2.1 at a high rate. Device B sends response packets to IP address 2.2.2.1 (Device C). Consequently, both Device B and Device C are attacked. If the administrator disconnects Device C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.

uRPF check modes

uRPF supports strict and loose modes.

Strict uRPF check

To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.

Strict uRPF is often deployed between a PE and a CE.

Loose uRPF check

To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.

Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.

uRPF extended functions

Link layer check

Strict uRPF check can further perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface connects a large number of PCs.

Loose uRPF does not support link layer check.

Using the default route in uRPF check

When a default route exists, all packets that fail to match a specific FIB entry match the default route during uRPF check and thus are permitted to pass. To avoid this situation, you can disable uRPF from using any default route to discard such packets. If you allow using the default route (set by using allow-default-route), uRPF permits packets that only match the default route.

By default, uRPF discards packets that can only match a default route.

Typically, you do not need to configure the allow-default-route keyword on a PE device because it has no default route pointing to the CE. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword.

Using an ACL for uRPF check exemption

To identify specific packets as valid packets, you can use an ACL to match these packets. Even if the packets do not pass uRPF check, they are still forwarded.

uRPF operation

Figure 2 shows how uRPF works.

Figure 2 uRPF work flow

‌

1. uRPF checks whether the received packet carries a multicast destination address:

¡ If yes, uRPF permits the packet.

¡ If no, uRPF proceeds to step 2.

2. uRPF checks whether the uRPF check mode is loose:

¡ If yes, uRPF performs FIB lookup based on the source IP address and then proceeds to step 3.

¡ If no, uRPF performs FIB lookup based on the source IP address and the receiving interface and then proceeds to step 3.

3. uRPF checks whether the source IP address is an all-zero address:

¡ If yes, uRPF checks whether the destination address of the packet is a broadcast address.

- If yes, uRPF permits the packet.

- If no, uRPF proceeds to step 8.

¡ If no, uRPF proceeds to step 4.

4. uRPF checks whether the source address matches a unicast route:

¡ If yes, uRPF proceeds to step 5.

¡ If no, uRPF proceeds to step 8.

5. uRPF checks whether the matching route is to the host itself (whether the output interface of the matching route is an InLoop interface):

¡ If yes, uRPF checks whether the receiving interface of the packet is an InLoop interface.

- If yes, uRPF permits the packet.

- If no, uRPF proceeds to step 8.

¡ If no, uRPF proceeds to step 6.

6. uRPF checks whether the matching route is a default route:

¡ If yes, uRPF checks whether the allow-default-route keyword is configured to allow using the default route.

- If yes, uPRF proceeds to step 7.

- If no, uPRF proceeds to step 8.

¡ If no, uRPF proceeds to step 7.

7. uRPF checks whether the link-check keyword is configured for link layer check:

¡ If no, uRPF permits the packet.

¡ If yes, uRPF uses the next-hop address of the FIB entry to look up the ARP table for a matching entry. Then it checks whether the MAC address of the matching ARP entry is identical with the source MAC address of the packet.

- If yes, uRPF permits the packet.

- If no, uRPF proceeds to step 8.

8. uRPF checks whether the packet is permitted by the ACL:

¡ If yes, the packet is forwarded (such a packet is displayed in the uRPF information as a "suppressed drop").

¡ If no, the packet is discarded.

Network application

As shown in Figure 3, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.

For special packets or users, you can configure ACLs.

Figure 3 Network diagram

‌

Restrictions and guidelines: uRPF configuration

If you enable uRPF on an interface, you can use the display ip interface command to display statistics about packets discarded by uRPF (displayed as "Drops" and "Suppressed drops"). If you enable uRPF globally, the system does not provide statistics about packets discarded by uRPF.

Do not configure the allow-default-route keyword for loose uRPF check. Otherwise, uRPF might fail to work.

If you configure uRPF globally and on an interface, the interface preferentially uses the interface-specific settings.

Enabling uRPF globally

Restrictions and guidelines

Global uRPF takes effect on all interfaces of the device.

Procedure

1. Enter system view.

system-view

2. Enable uRPF globally.

ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }

By default, uRPF is disabled.

Enabling uRPF on an interface

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Enable uRPF.

ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }

By default, uRPF is disabled.

Enabling uRPF on a VT interface

About this task

uRPF enabled on a VT interface checks traffic of L2TP and PPPoE users for packet validity on the interface.

If you do not specify the subnet-check keyword, strict uRPF checks traffic of all L2TP and PPPoE users except leased users for packet validity based on source IP address.

If you specify the subnet-check keyword, strict uRPF checks traffic of all L2TP and PPPoE users including leased users for packet validity. The packet validity check is based on the Framed-Route or Framed-IP-Netmask RADIUS attribute.

Procedure

1. Enter system view.

system-view

2. Enter VT interface view.

interface virtual-template number

3. Enable uRPF.

ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] }

By default, strict uRPF check is enabled for all L2TP and PPPoE users except leased users.

Verifying and maintaining uRPF

To display uRPF configuration, execute the following command in any view:

display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]

uRPF configuration examples

Example: Configuring uRPF for interfaces

Network configuration

As shown in Figure 4, perform the following tasks:

· Configure strict uRPF check on Ten-GigabitEthernet 0/0/6 of Router B and permit packets from network 10.1.1.0/24.

· Configure strict uRPF check on Ten-GigabitEthernet 0/0/6 of Router A and allow using the default route for uRPF check.

Figure 4 Network diagram

‌

Procedure

1. Configure Router B:

# Configure ACL 2010 to permit traffic from network 10.1.1.0/24.

<RouterB> system-view

[RouterB] acl basic 2010

[RouterB-acl-ipv4-basic-2010] rule permit source 10.1.1.0 0.0.0.255

[RouterB-acl-ipv4-basic-2010] quit

# Specify an IP address for Ten-GigabitEthernet 0/0/6.

[RouterB] interface ten-gigabitethernet 0/0/6

[RouterB-Ten-GigabitEthernet0/0/6] ip address 1.1.1.2 255.255.255.0

# Configure strict uRPF check on Ten-GigabitEthernet 0/0/6.

[RouterB-Ten-GigabitEthernet0/0/6] ip urpf strict acl 2010

2. Configure Router A:

# Specify an IP address for Ten-GigabitEthernet 0/0/6.

<RouterA> system-view

[RouterA] interface ten-gigabitethernet 0/0/6

[RouterA-Ten-GigabitEthernet0/0/6] ip address 1.1.1.1 255.255.255.0

# Configure strict uRPF check on Ten-GigabitEthernet 0/0/6 and allow using the default route for uRPF check.

[RouterA-Ten-GigabitEthernet0/0/6] ip urpf strict allow-default-route

Configuring IPv6 uRPF

About IPv6 uRPF

IPv6 Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.

IPv6 uRPF application scenario

Attackers send packets with a forged source address to access a system that uses IPv6-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 5 Source address spoofing attack

‌

As shown in Figure 5, an attacker on Router A sends the server (Router B) requests with a forged source IPv6 address 2000::1 at a high rate. Router B sends response packets to IPv6 address 2000::1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

IPv6 uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, IPv6 uRPF considers it a spoofing attack and discards the packet.

IPv6 uRPF check modes

IPv6 uRPF supports strict and loose check modes.

Strict IPv6 uRPF check

To pass strict IPv6 uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of an IPv6 FIB entry. In some scenarios (for example, asymmetrical routing), strict IPv6 uRPF might discard valid packets.

Strict IPv6 uRPF is often deployed between a PE and a CE.

Loose IPv6 uRPF check

To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry. Loose IPv6 uRPF can avoid discarding valid packets, but might let go attack packets.

Loose IPv6 uRPF is often deployed between ISPs, especially in asymmetrical routing.

IPv6 uRPF extended functions

Using the default route in IPv6 uRPF check

When a default route exists, all packets that fail to match a specific IPv6 FIB entry match the default route during IPv6 uRPF check and thus are permitted to pass. If you allow using the default route (by using allow-default-route), IPv6 uRPF permits packets that only match the default route.

By default, IPv6 uRPF discards packets that can only match a default route.

Typically, you do not need to configure the allow-default-route keyword on a PE device because it has no default route pointing to the CE device. If you enable uRPF on a CE interface and the CE interface has a default route pointing to the PE, specify the allow-default-route keyword.

Using an ACL for IPv6 uRPF check exemption

To identify specific packets as valid packets, you can use an IPv6 ACL to match these packets. Even if the packets do not pass IPv6 uRPF check, they are still forwarded.

IPv6 uRPF operation

Figure 6 shows how IPv6 uRPF works.

Figure 6 IPv6 uRPF work flow

‌

1. IPv6 uRPF checks whether the received packet carries a multicast destination address:

¡ If yes, IPv6 uRPF permits the packet.

¡ If no, IPv6 uRPF proceeds to step 2.

2. IPv6 uRPF checks whether the IPv6 uRPF check mode is loose:

¡ If yes, IPv6 uRPF performs IPv6 FIB lookup based on the source IPv6 address and then proceeds to step 3.

¡ If no, IPv6 uRPF performs IPv6 FIB lookup based on the source IPv6 address and the receiving interface and then proceeds to step 3.

3. IPv6 uRPF checks whether the source address is a link-local address:

¡ If yes, IPv6 uRPF checks whether the receiving interface is a InLoop interface.

- If yes, IPv6 uRPF permits the packet.

- If not, IPv6 uRPF proceeds to step 4.

¡ If no, IPv6 uRPF proceeds to step 8.

4. IPv6 uRPF checks whether the source address is an all-zero address:

¡ If yes, IPv6 uRPF proceeds to step 8.

¡ If no, IPv6 uRPF proceeds to step 5.

5. IPv6 uRPF checks whether the source address matches a unicast route:

¡ If yes, IPv6 uRPF proceeds to step 6.

¡ If no, IPv6 uRPF proceeds to step 8.

6. IPv6 uRPF checks whether the matching route is to the host itself (whether the output interface of the matching route is an InLoop interface):

¡ If yes, IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface.

- If yes, IPv6 uRPF permits the packet.

- If no, IPv6 uRPF proceeds to step 8.

¡ If no, IPv6 uRPF proceeds to step 7.

7. IPv6 uRPF checks whether the matching route is a default route:

¡ If yes, IPv6 uRPF checks whether the allow-default-route keyword is configured to allow using the default route.

- If yes, the packet is forwarded.

- If no, IPv6 uRPF proceeds to step 8.

¡ If no, the packet is forwarded.

8. IPv6 uRPF checks whether the packet is permitted by the IPv6 ACL:

¡ If yes, the packet is forwarded (such a packet is displayed in the uRPF information as a "suppressed drop").

¡ If no, the packet is discarded.

Network application

As shown in Figure 7, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs.

For special packets or users, you can configure IPv6 ACLs.

Figure 7 Network diagram

‌

Restrictions and guidelines: IPv6 uRPF configuration

If you enable IPv6 uRPF on an interface, you can use the display ipv6 interface command to view statistics about packets discarded by IPv6 uRPF (displayed as "Drops" and "Suppressed drops"). If you enable IPv6 uRPF globally, the system does not provide statistics about packets discarded by IPv6 uRPF.

Do not configure the allow-default-route keyword for loose IPv6 uRPF check. Otherwise, IPv6 uRPF might fail to work.

If you configure IPv6 uRPF globally and on an interface, the interface preferentially uses the interface-specific settings.

Do not use strict IPv6 uRPF if ECMP routing is available in the network. Service packets that travel along ECMP routes cannot pass the strict uRPF check and will be dropped.