Pages

2017 CCNP RS, uRPF


Sources:
 - https://learningnetwork.cisco.com/thread/82304
 - http://www.ietf.org/rfc/rfc3704.txt


Unicast Reverse Path Forwarding (uRPF)
- prevent malicious traffic from entering a network
- can help block packets having a spoofed IP address. The way that uRPF works is to check the source IP address of a packet arriving on an interface and determine whether that IP address is reachable, based on the router’s Forwarding Information Base (FIB) used by Cisco Express Forwarding (CEF).
 - Optionally, the router can also check to see whether the packet is arriving on the interface the router would use to send traffic back to that IP address.
 - CEF must be enabled on a router to use uRPF.  

 - Unicast RPF originally was designed to prevent source address spoofing at the customer-ISP edge
 - Recommended ways to prevent spoofing attacks would be to disable source routing feature on the devices by using the command "no ip source-route" in global config mode.
 - The largest practical problem with uRPF is it usually doesn't work when you have multiple ISPs.
 - Show ip traffic – This command will tell you how many packets uRPF has dropped.



Modes of operation for uRPF:
1) Strict mode: a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB, but the packet must also be arriving on the same interface the router would use to send traffic back to that IP address.

2) Loose mode: a router only verifies that the source IP of a packet is reachable, based on the router’s FIB.

3) VRF mode: (also known as uRPF version 3 or uRPFv3) is similar to loose mode operation in that source IP addresses are checked against the FIB for a specific VRF.

Strict mode could cause traffic to be dropped if an asynchronous routing situation exists (that is, traffic from a network address space might be received on one router interface, but traffic to that same network address space might be transmitted out of a different router interface).  Should typically be used where there is no chance of asynchronous routing (for example, a branch office with
only one connection going back to a corporate headquarters).

uRPF supports an allow-default option that accepts a default route as a valid way to get back to a source IP address.  

Router(config-if)# ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self ping] [acl]
rx - strict mode uRPF
any - loose mode uRPF  = return path can be through ANY interface

allow-default -  Allows uRPF to use a default route if an exact network is not found in a router’s FIB
   (Note: The allow-default option can be used with either strict or loose mode)
 
allow-self-ping  - Allows a router to ping itself when checking the reachability of an IP address
   (Note: Cisco recommends against using the allow-self-ping option in most cases, because it introduces a security risk.)

acl - Identifies an optional access control list that can either permit or deny traffic that fails the uRPF check