Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Port security configuration
- 06-Password control configuration
- 07-Keychain configuration
- 08-Public key management
- 09-PKI configuration
- 10-IPsec configuration
- 11-SSH configuration
- 12-SSL configuration
- 13-Attack detection and prevention configuration
- 14-TCP attack prevention configuration
- 15-IP source guard configuration
- 16-ARP attack protection configuration
- 17-ND attack defense configuration
- 18-uRPF configuration
- 19-MFF configuration
- 20-FIPS configuration
- 21-802.1X client configuration
- 22-Web authentication configuration
- 23-Object group configuration
- 24-Microsegmentation configuration
- 25-Triple authentication configuration
- 26-User profile configuration
- 27-SAVI configuration
- 28-SAVA configuration
- 29-IP-SGT mapping configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-uRPF configuration | 195.59 KB |
Contents
Restrictions and guidelines: uRPF configuration
Display and maintenance commands for uRPF
IPv6 uRPF application scenario
Restrictions and guidelines: IPv6 uRPF configuration
Enabling IPv6 uRPF on an interface
Display and maintenance commands for IPv6 uRPF
Configuring uRPF
About uRPF
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
uRPF application scenario
Attackers send packets with a forged source address to access a system that uses IPv4-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Source address spoofing attack
As shown in Figure 1, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate. Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF supports strict and loose modes.
Strict uRPF check
To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets.
Strict uRPF is often deployed between a PE and a CE.
Loose uRPF check
To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets.
Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF extended functions
Using the default route in uRPF check
When a default route exists, all packets that fail to match a specific FIB entry match the default route during uRPF check and thus are permitted to pass. To avoid this situation, you can disable uRPF from using any default route to discard such packets. If you allow using the default route (set by using allow-default-route), uRPF permits packets that only match the default route.
By default, uRPF discards packets that can only match a default route.
Using an ACL for uRPF check exemption
To identify specific packets as valid packets, you can use an ACL to match these packets. Even if the packets do not pass uRPF check, they are still forwarded.
uRPF operation
Figure 2 shows how uRPF works.
1. uRPF checks whether the received packet carries a multicast destination address:
¡ If yes, uRPF permits the packet.
¡ If no, uRPF proceeds to step 2.
2. uRPF checks whether the uRPF check mode is loose:
¡ If yes, uRPF performs FIB lookup based on the source IP address and then proceeds to step 3.
¡ If no, uRPF performs FIB lookup based on the source IP address and the receiving interface and then proceeds to step 3.
3. uRPF checks whether the source IP address is an all-zero address:
¡ If yes, uRPF checks whether the destination address of the packet is a broadcast address.
- If yes, uRPF permits the packet.
- If no, uRPF discards the packet.
¡ If no, uRPF proceeds to step 4.
4. uRPF checks whether the source address matches a unicast route:
¡ If yes, uRPF proceeds to step 5.
¡ If no, uRPF discards the packet.
5. uRPF checks whether the matching route is to the host itself (whether the output interface of the matching route is an InLoop interface):
¡ If yes, uRPF checks whether the receiving interface of the packet is an InLoop interface.
- If yes, uRPF permits the packet.
- If no, uRPF discards the packet.
¡ If no, uRPF proceeds to step 6.
6. uRPF checks whether the matching route is a default route:
¡ If yes, uRPF checks whether the allow-default-route keyword is configured to allow using the default route.
- If yes, the packet is forwarded.
- If no, the packet is discarded.
¡ If no, the packet is forwarded.
Network application
As shown in Figure 3, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs.
For special packets or users, you can configure ACLs.
Restrictions and guidelines: uRPF configuration
Do not configure the allow-default-route keyword for loose uRPF check. Otherwise, uRPF might fail to work.
If you configure uRPF globally and on an interface, the interface preferentially uses the interface-specific settings.
If you enable uRPF globally or on an interface, IPv6 uRPF is also enabled. Make sure uRPF and IPv6 uRPF use the same global or interface-based check mode and allow-default-route settings.
If you configure both strict uRPF and ECMP routing, the device performs uRPF check on service packets matching the ECMP routes as follows:
· When the number of ECMP routes is less than or equal to 8, the device performs strict uRPF check.
· When the number of ECMP routes is greater than 8, the device performs loose uRPF check.
You can enable uRPF on Layer 3 interfaces, Layer 3 subinterfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, or VLAN interfaces.
As a best practice, plan the time when you configure uRPF. A short Layer 3 traffic interruption occurs after uRPF is configured.
uRPF checks only incoming packets on interfaces.
A Layer 3 interface enabled with uRPF cannot act as a public network interface of a tunnel.
uRPF does not take effect on tunneled packets. The processing of tunneled packets varies as follows:
· If loose uRPF is configured, the device allows the tunneled packets to pass through.
· If strict uRPF is configured, the device drops the tunneled packets.
In an MPLS network, an egress node cannot perform strict uRPF check on packets from the penultimate hop to which the egress assigns an implicit null label. For more information about the implicit null label, see MPLS Configuration Guide.
uRPF is mutually exclusive with the following features:
· Super VLAN.
· Private VLAN.
· ARP proxy forwarding.
· ND proxy forwarding.
· SAVA.
For more information about super VLAN and private VLAN features, see VLAN configuration in Layer 2—LAN Switching Configuration Guide. For more information about ARP proxy forwarding, see ARP configuration in Layer 3—IP Services Configuration Guide. For more information about ND proxy forwarding, see IPv6 basics configuration in Layer 3—IP Services Configuration Guide. For more information about SAVA, see "Configuring SAVA."
Enabling uRPF globally
Restrictions and guidelines
Global uRPF takes effect on all interfaces of the device.
Procedure
1. Enter system view.
system-view
2. Enable uRPF globally.
ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] }
By default, uRPF is disabled.
Enabling uRPF on an interface
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Enable uRPF.
ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] }
By default, uRPF is disabled.
Display and maintenance commands for uRPF
Execute display commands in any view.
|
Task |
Command |
|
Display uRPF configuration. |
In standalone mode: display ip urpf [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ip urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
Configuring IPv6 uRPF
About IPv6 uRPF
IPv6 Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
IPv6 uRPF application scenario
Attackers send packets with a forged source address to access a system that uses IPv6-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 4 Source address spoofing attack
As shown in Figure 4, an attacker on Router A sends the server (Router B) requests with a forged source IPv6 address 2000::1 at a high rate. Router B sends response packets to IPv6 address 2000::1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
IPv6 uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, IPv6 uRPF considers it a spoofing attack and discards the packet.
IPv6 uRPF check modes
IPv6 uRPF supports strict and loose check modes.
Strict IPv6 uRPF check
To pass strict IPv6 uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of an IPv6 FIB entry. In some scenarios (for example, asymmetrical routing), strict IPv6 uRPF might discard valid packets.
Strict IPv6 uRPF is often deployed between a PE and a CE.
Loose IPv6 uRPF check
To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry. Loose IPv6 uRPF can avoid discarding valid packets, but might let go attack packets.
Loose IPv6 uRPF is often deployed between ISPs, especially in asymmetrical routing.
IPv6 uRPF extended functions
Using the default route in IPv6 uRPF check
When a default route exists, all packets that fail to match a specific IPv6 FIB entry match the default route during IPv6 uRPF check and thus are permitted to pass. If you allow using the default route (by using allow-default-route), IPv6 uRPF permits packets that only match the default route.
By default, IPv6 uRPF discards packets that can only match a default route.
Using an ACL for IPv6 uRPF check exemption
To identify specific packets as valid packets, you can use an IPv6 ACL to match these packets. Even if the packets do not pass IPv6 uRPF check, they are still forwarded.
Network application
As shown in Figure 5, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs.
For special packets or users, you can configure IPv6 ACLs.
Restrictions and guidelines: IPv6 uRPF configuration
Do not configure the allow-default-route keyword for loose IPv6 uRPF check. Otherwise, IPv6 uRPF might fail to work.
If you configure IPv6 uRPF globally and on an interface, the interface preferentially uses the interface-specific settings.
If you enable IPv6 uRPF globally or on an interface, uRPF is also enabled. Make sure IPv6 uRPF and uRPF use the same global or interface-based check mode and allow-default-route settings.
If you configure both strict IPv6 uRPF and ECMP routing, the device performs IPv6 uRPF check on service packets matching the ECMP routes as follows:
· When the number of ECMP routes is less than or equal to 8, the device performs strict IPv6 uRPF check.
· When the number of ECMP routes is greater than 8, the device performs loose IPv6 uRPF check.
You can enable IPv6 uRPF on Layer 3 interfaces, Layer 3 subinterfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, or VLAN interfaces.
As a best practice, plan the time when you configure IPv6 uRPF. A short Layer 3 traffic interruption occurs after IPv6 uRPF is configured.
IPv6 uRPF checks only incoming packets on interfaces.
A Layer 3 interface enabled with IPv6 uRPF cannot act as a public network interface of a tunnel.
IPv6 uRPF does not take effect on tunneled packets. The processing of tunneled packets varies as follows:
· If loose IPv6 uRPF is configured, the device allows the tunneled packets to pass through.
· If strict IPv6 uRPF is configured, the device drops the tunneled packets.
In an MPLS network, an egress node cannot perform strict IPv6 uRPF check on packets from the penultimate hop to which the egress assigns an implicit null label. For more information about the implicit null label, see MPLS Configuration Guide.
IPv6 uRPF is mutually exclusive with the following features:
· Super VLAN.
· Private VLAN.
· ARP proxy forwarding.
· ND proxy forwarding.
· SAVA.
For more information about super VLAN and private VLAN features, see VLAN configuration in Layer 2—LAN Switching Configuration Guide. For more information about ARP proxy forwarding, see ARP configuration in Layer 3—IP Services Configuration Guide. For more information about ND proxy forwarding, see IPv6 basics configuration in Layer 3—IP Services Configuration Guide. For more information about SAVA, see "Configuring SAVA."
Enabling IPv6 uRPF globally
Restrictions and guidelines
Global IPv6 uRPF takes effect on all interfaces of the device.
Procedure
1. Enter system view.
system-view
2. Enable global IPv6 uRPF.
ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]
By default, IPv6 uRPF is disabled.
Enabling IPv6 uRPF on an interface
1. Enter system view.
system-view
2. Enter Layer 3 interface view.
interface interface-type interface-number
3. Enable IPv6 uRPF.
ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]
By default, IPv6 uRPF is disabled.
Display and maintenance commands for IPv6 uRPF
Execute display commands in any view.
|
Task |
Command |
|
Display IPv6 uRPF configuration. |
In standalone mode: display ipv6 urpf [ interface interface-type interface-number ] [ slot slot-number ] In IRF mode: display ipv6 urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
