So this short presentation will show you how unicast reverse path forwarding works. uRPF is a technique where the router can discard packets with invalid or fake or incorrect source addresses by a simple check against the forwarding table on the FIB. This is much more efficient than implementing ingress packet filters on the router itself. uRPF is part of BCP38. BCP38 is one of the series produced by the IETF of best current practices and was published early in 2000. uRPF is a very effective tool to assist with the defeating of denial of service attacks at source it's implemented by network operators on their access devices for end users and end devices connect to the network infrastructure there are two modes for you RPF the restrict mode where the source address must be reachable via the source or incoming interface and this is typically used in access networks the other mode is known as loose mode this is where the source address must be in the routers FIB typically this is used to drop non routed address space and it can also be used when asymmetric traffic flows are present for example in multihoming scenarios let's have a look at how this all works the slide shows uRPF strict mode we have a router we have an incoming interface fastethernet 0/0 and an outgoing interface gigabit zero 1 a packet comes in on the source interface fastethernet 0/0 with a source address 172 dot 16 dot 1.1 the router will have a look in the FIB to see how it reaches this so address and if you look at the feed Bantry you see that the source address is reachable through fastethernet 0/0 the router has a flip entry for the 172 dot 16 dot one dot 0/24 network because the entry exists in the fib and it is a valid source the router will then forward the packet out of the gigabit zero one interface however if there's an incoming packet with source address 192.168.1.1 the router will check the FIB and it sees that the source address of one and two one six eight dot one dot 0/24 network is out through the gigabit zero one interface so this destination is not reachable through the fastethernet 0/0 interface so this is considered a fake source address the fib entry does not match the incoming interface and the packet is dropped now let's have a look at some configuration examples about how you would configure this using Cisco IOS each vendor will have a similar star of how unicast reverse path forwarding is configured this example shown on the slide shows an Ethernet LAN with you RPF configured it is configured for ipv4 and for ipv6 the example shows a u RPF configuration that will handle both a direct LAN and for another network connected to the LAN the line in this example is configured with ipv4 address one and two 168 0.25 4/24 and the v6 address to 0 0 1 DB 8 0 1 : : FF / 64 we have configured IP verify unicast source reachable via rx which means the receiver interface for ipv4 and for ipv6 and we've configured XOR option allows self paying for b-before we will now look at what these features of the configuration mean the routers ipv4 and ipv6 fibs would look something like this in v4 if I do show IP fib amongst all the entries I will see two entries for the ipv4 subnets I've been using 192.168.0.0 slash 24 is attached unreachable through fastethernet 0/1 192.168.1.0 slash 24 has next top 192.168.0 one and again is reachable through fastethernet 0/1 for the v6 fib we see that 2 0 0 1 DB 8 0 1 / 64 is attached to fastethernet 0/1 and the destination 2 0 0 1 DB 8 1 column 1 / 64 as next hop via the leg local address shown and reachable through the fastethernet 0/1 interface so when the RPF check is now implemented incoming packets with source address 192.168.1.1 nine two dot one sixty eight dot one dot 0/24 will result in a valid RPF check and the packets will be forwarded likewise for ipv6 any packets coming from the subnet 2 0 0 1 DB 8 0 1 / 64 or 2 0 0 1 DB 8 1 : 1 / 64 will pass the RPF check and both be forwarded if we look at the loose mode configuration as shown in the slide you will see that the configuration has changed slightly the reachable via is now any this means that the router will check the entire fib for the destination meaning that we have a successful test so long as the subnet is somewhere in the routers FIB Cisco IOS allows various options just to summarize these reachable via means strict mode is available using the RX keyword this mode is available using the any keyword allow self ping enables the operator to use ping on the local interface to check local link connectivity without self ping it would not be possible to ping the local interface address from the router in loose mode the allowed default option allows a successful match against the default rat if this is required by the operator and there are also access lists available to cover selectively you RPF checks let's have a look at some deployment advice now our advice would be to implement you RPF on all single home to customer-facing interfaces this is much cheaper in terms of CPU and RAM than implementing packet filters on the router and indeed just make you RPF a default setting in all access router templates as many network operators have been doing for most of this century in the case of multi home connections the deployment of you RPF needs very careful planning if it is implemented at all asymmetric traffic flows are common and strict mode you RPF would mean that at least the BGP wait feature would need to be implemented loose mode ensures you RPF can be implemented but again we advise that care is needed when deploying this there is the danger that packets could be dropped with any miss configuration or miss planned implementation of you RPF indeed most operators will avoid using you RPF in the situation's of multihomed customer connections and to conclude you RPF has been available in major event implementation since the late 1990s there's more documentation contained BCP38 about defeating denial of service attacks by source address filtering and you can read more in BCP38 in the URL on the screen implementation of uRPF is an essential technique for assisting with defeating these denial of service attacks and it is one of the principles in the current manners initiative and you can read more about MANRS on the website shown on the screen.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.