So this short presentation will show you
how unicast reverse path forwarding
works. uRPF is a technique where the
router can discard packets with
invalid or fake or incorrect source
addresses by a simple check against the
forwarding table on the FIB. This is much
more efficient than implementing ingress
packet filters on the router itself.
uRPF is part of BCP38. BCP38 is one of
the series produced by the IETF of best
current practices and was published
early in 2000. uRPF is a very
effective tool to assist with the
defeating of denial of service attacks
at source it's implemented by network
operators on their access devices for
end users and end devices connect to the
network infrastructure there are two
modes for you RPF the restrict mode
where the source address must be
reachable via the source or incoming
interface and this is typically used in
access networks the other mode is known
as loose mode this is where the source
address must be in the routers FIB
typically this is used to drop non
routed address space and it can also be
used when asymmetric traffic flows are
present for example in multihoming
scenarios let's have a look at how this
all works the slide shows uRPF strict
mode we have a router we have an
incoming interface fastethernet 0/0 and
an outgoing interface gigabit zero 1 a
packet comes in on the source interface
fastethernet 0/0 with a source address
172 dot 16 dot 1.1 the router will have
a look in the FIB to see how it reaches
this so
address and if you look at the feed
Bantry you see that the source address
is reachable through fastethernet 0/0
the router has a flip entry for the 172
dot 16 dot one dot 0/24 network because
the entry exists in the fib and it is a
valid source the router will then
forward the packet out of the gigabit
zero one interface however if there's an
incoming packet with source address
192.168.1.1 the router will check the
FIB and it sees that the source address
of one and two one six eight dot one dot
0/24 network is out through the gigabit
zero one interface so this destination
is not reachable through the
fastethernet 0/0 interface so this is
considered a fake source address the fib
entry does not match the incoming
interface and the packet is dropped now
let's have a look at some configuration
examples about how you would configure
this using Cisco IOS each vendor will
have a similar star of how unicast
reverse path forwarding is configured
this example shown on the slide shows an
Ethernet LAN with you RPF configured it
is configured for ipv4 and for ipv6 the
example shows a u RPF configuration that
will handle both a direct LAN and for
another network connected to the LAN the
line in this example is configured with
ipv4 address one and two 168 0.25 4/24
and the v6 address to 0 0 1 DB 8 0 1 : :
FF / 64 we have configured IP verify
unicast source reachable via rx which
means the receiver interface for ipv4
and for ipv6 and we've configured XOR
option allows self paying for
b-before we will now look at what these
features of the configuration mean the
routers ipv4 and ipv6 fibs would look
something like this in v4 if I do show
IP fib amongst all the entries I will
see two entries for the ipv4 subnets
I've been using 192.168.0.0 slash 24 is
attached unreachable through
fastethernet 0/1 192.168.1.0 slash 24
has next top 192.168.0 one and again is
reachable through fastethernet 0/1 for
the v6 fib we see that 2 0 0 1 DB 8 0 1
/ 64 is attached to fastethernet 0/1 and
the destination 2 0 0 1 DB 8 1 column 1
/ 64 as next hop via the leg local
address shown and reachable through the
fastethernet 0/1 interface so when the
RPF check is now implemented incoming
packets with source address 192.168.1.1
nine two dot one sixty eight dot one dot
0/24 will result in a valid RPF check
and the packets will be forwarded
likewise for ipv6 any packets coming
from the subnet 2 0 0 1 DB 8 0 1 / 64 or
2 0 0 1 DB 8 1 : 1 / 64 will pass the
RPF check and both be forwarded if we
look at the loose mode configuration as
shown in the slide you will see that the
configuration has changed slightly the
reachable via is now any this means that
the router will check the entire fib for
the destination meaning that we have a
successful test
so long as the subnet is somewhere in
the routers FIB Cisco IOS allows various
options just to summarize these
reachable via means strict mode is
available using the RX keyword this mode
is available using the any keyword allow
self ping enables the operator to use
ping on the local interface to check
local link connectivity without self
ping it would not be possible to ping
the local interface address from the
router in loose mode the allowed default
option allows a successful match against
the default rat if this is required by
the operator and there are also access
lists available to cover selectively you
RPF checks let's have a look at some
deployment advice now our advice would
be to implement you RPF on all single
home to customer-facing interfaces this
is much cheaper in terms of CPU and RAM
than implementing packet filters on the
router and indeed just make you RPF a
default setting in all access router
templates as many network operators have
been doing for most of this century in
the case of multi home connections the
deployment of you RPF needs very careful
planning if it is implemented at all
asymmetric traffic flows are common and
strict mode you RPF would mean that at
least the BGP wait feature would need to
be implemented loose mode ensures you
RPF can be implemented but again we
advise that care is needed when
deploying this there is the danger that
packets could be dropped with any miss
configuration or miss planned
implementation of you RPF indeed most
operators will avoid using you RPF in
the situation's of multihomed customer
connections
and to conclude you RPF has been
available in major event implementation
since the late 1990s there's more
documentation contained BCP38 about
defeating denial of service attacks by
source address filtering and you can
read more in BCP38 in the URL on the
screen implementation of uRPF is an
essential technique for assisting with
defeating these denial of service
attacks and it is one of the principles
in the current manners initiative and
you can read more about MANRS on the
website shown on the screen.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.