Contents

Configuring uRPF· 1

About uRPF· 1

uRPF application scenario· 1

uRPF check modes· 1

uRPF operation· 1

Network application· 2

Restrictions and guidelines: uRPF configuration· 3

Enabling uRPF on an interface· 3

Display and maintenance commands for uRPF· 3

uRPF configuration examples· 4

Example: Configuring uRPF for interfaces· 4

Configuring IPv6 uRPF· 5

About IPv6 uRPF· 5

IPv6 uRPF application scenario· 5

IPv6 uRPF check modes· 5

IPv6 uRPF operation· 5

Network application· 6

Restrictions and guidelines: IPv6 uRPF configuration· 7

Enabling IPv6 uRPF on an interface· 7

Display and maintenance commands for IPv6 uRPF· 8

IPv6 uRPF configuration examples· 8

Example: Configuring IPv6 uRPF for interfaces· 8

 

Configuring uRPF

About uRPF

Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.

uRPF application scenario

Attackers send packets with a forged source address to access a system that uses IPv4-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 1 Source address spoofing attack

‌

As shown in Figure 1, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate. Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.

uRPF check modes

uRPF supports strict and loose modes.

Strict uRPF check

To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.

Strict uRPF is often deployed between a PE and a CE.

Loose uRPF check

To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.

Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.

uRPF operation

1.     uRPF checks whether the received packet carries a multicast destination address:

¡     If yes, uRPF permits the packet.

¡     If no, uRPF proceeds to step 2.

2.     uRPF checks whether the uRPF check mode is loose:

¡     If yes, uRPF performs FIB lookup based on the source IP address and then proceeds to step 3.

¡     If no, uRPF performs FIB lookup based on the source IP address and the receiving interface and then proceeds to step 3.

3.     uRPF checks whether the source IP address is an all-zero address:

¡     If yes, uRPF checks whether the destination address of the packet is a broadcast address.

-     If yes, uRPF permits the packet.

-     If no, the packet is discarded.

¡     If no, uRPF proceeds to step 4.

4.     uRPF checks whether the source address matches a unicast route:

¡     If yes, uRPF proceeds to step 5.

¡     If no, the packet is discarded.

5.     uRPF checks whether the matching route is to the host itself (whether the output interface of the matching route is an InLoop interface):

¡     If yes, uRPF checks whether the receiving interface of the packet is an InLoop interface.

-     If yes, uRPF permits the packet.

-     If no, the packet is discarded.

¡     If no, the packet is discarded.

Network application

As shown in Figure 2, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.

Figure 2 Network diagram

‌

Restrictions and guidelines: uRPF configuration

If you enable uRPF on an interface, you can use the display ip interface command to display statistics about packets discarded by uRPF (displayed as "Drops" and "Suppressed drops").

Do not configure both strict uRPF check and loose IPv6 uRPF check, or loose uRPF check and strict IPv6 uRPF check on an interface.

Do not use strict uRPF if ECMP routing is available in the network. Service packets that travel along ECMP routes cannot pass the strict uRPF check and will be dropped.

Enabling uRPF on an interface

1.     Enter system view.

system-view

2.     Enter Layer 3 interface view.

interface interface-type interface-number

3.     Enable uRPF.

ip urpf { loose | strict }

By default, uRPF is disabled.

Display and maintenance commands for uRPF

Execute display commands in any view.

 

Task	Command
Display uRPF configuration.	In standalone mode: display ip urpfinterface interface-type interface-number  [ slot slot-number ] In IRF mode: display ip urpf interface interface-type interface-number [ chassis chassis-number slot slot-number ]

‌

uRPF configuration examples

Example: Configuring uRPF for interfaces

Network configuration

As shown in Figure 3, perform the following tasks:

·     Configure strict uRPF check on VLAN-interface 10 of Switch B.

·     Configure strict uRPF check on VLAN-interface 10 of Switch A.

Figure 3 Network diagram

‌

Procedure

1.     Configure Switch B:

# Create VLAN 10.

[SwitchB] vlan 10

[SwitchB-vlan10] quit

# Specify an IP address for VLAN-interface 10.

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] ip address 1.1.1.2 255.255.255.0

# Configure strict uRPF check on VLAN-interface 10.

[SwitchB-Vlan-interface10] ip urpf strict

2.     Configure Switch A:

# Create VLAN 10.

<SwitchA> system view

[SwitchA] vlan 10

[SwitchA-vlan10] quit

# Specify an IP address for VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ip address 1.1.1.1 255.255.255.0

# Configure strict uRPF check on VLAN-interface 10.

[SwitchA-Vlan-interface10] ip urpf strict

Configuring IPv6 uRPF

About IPv6 uRPF

IPv6 Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.

IPv6 uRPF application scenario

Attackers send packets with a forged source address to access a system that uses IPv6-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

Figure 4 Source address spoofing attack

‌

As shown in Figure 4, an attacker on Router A sends the server (Router B) requests with a forged source IPv6 address 2000::1 at a high rate. Router B sends response packets to IPv6 address 2000::1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.

Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.

IPv6 uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, IPv6 uRPF considers it a spoofing attack and discards the packet.

IPv6 uRPF check modes

IPv6 uRPF supports strict and loose check modes.

Strict IPv6 uRPF check

To pass strict IPv6 uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of an IPv6 FIB entry. In some scenarios (for example, asymmetrical routing), strict IPv6 uRPF might discard valid packets.

Strict IPv6 uRPF is often deployed between a PE and a CE.

Loose IPv6 uRPF check

To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry. Loose IPv6 uRPF can avoid discarding valid packets, but might let go attack packets.

Loose IPv6 uRPF is often deployed between ISPs, especially in asymmetrical routing.

IPv6 uRPF operation

1.     IPv6 uRPF checks whether the received packet carries a multicast destination address:

¡     If yes, IPv6 uRPF permits the packet.

¡     If no, IPv6 uRPF proceeds to step 2.

2.     IPv6 uRPF checks whether the IPv6 uRPF check mode is loose:

¡     If yes, IPv6 uRPF performs IPv6 FIB lookup based on the source IPv6 address and then proceeds to step 3.

¡     If no, IPv6 uRPF performs IPv6 FIB lookup based on the source IPv6 address and the receiving interface and then proceeds to step 3.

3.     IPv6 uRPF checks whether the source address is a link-local address:

¡     If yes, IPv6 uRPF checks whether the receiving interface is a InLoop interface.

-     If yes, IPv6 uRPF permits the packet.

-     If not, IPv6 uRPF proceeds to step 4.

¡     If no, IPv6 uRPF proceeds to step 8.

4.     IPv6 uRPF checks whether the source address is an all-zero address:

¡     If yes, IPv6 uRPF proceeds to step 8.

¡     If no, IPv6 uRPF proceeds to step 5.

5.     IPv6 uRPF checks whether the source address matches a unicast route:

¡     If yes, IPv6 uRPF proceeds to step 6.

¡     If no, the packet is discarded.

6.     IPv6 uRPF checks whether the matching route is to the host itself (whether the output interface of the matching route is an InLoop interface):

¡     If yes, IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface.

-     If yes, IPv6 uRPF permits the packet.

-     If no, the packet is discarded.

¡     If no, the packet is discarded.

Network application

As shown in Figure 5, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs.

Figure 5 Network diagram

 

‌

Restrictions and guidelines: IPv6 uRPF configuration

If you enable IPv6 uRPF on an interface, you can use the display ipv6 interface command to view statistics about packets discarded by IPv6 uRPF (displayed as "Drops" and "Suppressed drops").

Do not configure both strict IPv6 uRPF check and loose uRPF check, or loose IPv6 uRPF check and strict uRPF check on an interface.

Do not use strict IPv6 uRPF if ECMP routing is available in the network. Service packets that travel along ECMP routes cannot pass the strict uRPF check and will be dropped.

Enabling IPv6 uRPF on an interface

1.     Enter system view.

system-view

2.     Enter Layer 3 interface view.

interface interface-type interface-number

3.     Enable IPv6 uRPF.

ipv6 urpf { loose | strict }

By default, IPv6 uRPF is disabled.

Display and maintenance commands for IPv6 uRPF

Execute display commands in any view.

 

Task	Command
Display IPv6 uRPF configuration.	In standalone mode: display ipv6 urpf interface interface-type interface-number [ slot slot-number ] In IRF mode: display ipv6 urpf interface interface-type interface-number [ chassis chassis-number slot slot-number ]

‌

IPv6 uRPF configuration examples

Example: Configuring IPv6 uRPF for interfaces

Network configuration

As shown in Figure 6, perform the following tasks:

·     Configure strict IPv6 uRPF check on VLAN-interface 10 of Switch B.

·     Configure strict IPv6 uRPF check on VLAN-interface 10 of Switch A.

Figure 6 Network diagram

‌

Procedure

1.     Configure Switch B:

# Create VLAN 10.

[SwitchB] vlan 10

[SwitchB-vlan10] quit

# Specify an IPv6 address for VLAN-interface 10.

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] ipv6 address 1000::2/64

# Configure strict IPv6 uRPF check on VLAN-interface 10.

[SwitchB-Vlan-interface10] ipv6 urpf strict

2.     Configure Switch A:

# Create VLAN 10.

<SwitchA> system view

[SwitchA] vlan 10

[SwitchA-vlan10] quit

# Specify an IPv6 address for VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ipv6 address 1000::1/64

# Configure strict uRPF check on VLAN-interface 10.

[SwitchA-Vlan-interface10] ipv6 urpf strict