Unicast Reverse Path Forwarding
• Unicast Reverse Path Forwarding............................................................................................................................................................589
• Conguration considerations for uRPF.................................................................................................................................................589
• Unicast Reverse Path Forwarding feasibility....................................................................................................................................... 590
• System-max changes and uRPF.............................................................................................................................................................591
• Enabling unicast Reverse Path Forwarding......................................................................................................................................... 592
• Conguring unicast Reverse Path Forwarding modes....................................................................................................................592
Unicast Reverse Path Forwarding
The unicast Reverse Path Forwarding check is used to avoid source IP-based spoong and a malformed source IP address.
A number of common types of denial-of-service (DoS) attacks, including Smurf and Tribe Flood Network (TFN), can take advantage of
forged or rapidly changing source IP addresses to allow attackers to thwart eorts to locate or lter the attacks. Reverse Path Forwarding
(RPF) is designed to prevent such an attacker from spoong a source IP address by checking that the source IP address specied for a
packet is received from a network to which the device has access. Packets with invalid source IP addresses are not forwarded. RPF is
supported for IPv4 and IPv6 packets. Dierences in RPF support between IPv4 and IPv6 are noted within this section where necessary.
RFC3704, Ingress Filtering for Multihomed Networks, covers various aspects of the Source IP address being spoofed in a trac being
forwarded.
FastIron devices support two unicast Reverse Path Forwarding (uRPF) modes according to RFC 3704:
• Strict mode: In this mode, all incoming packets are tested against the forwarding information base (FIB). If the incoming
interface is not the best reverse path, the packet check fails. Failed packets are discarded by default. Source IP (SIP) lookup and
the SIP's next hop layer interface information is used in this mode. This mode has options to include default route check or
exclude default route check.
• Loose mode: In this mode, each incoming packet's source address is tested against the forwarding information base. As long as
there is a match for the source IP address in the forwarding information base, the trac is allowed. Next hop interface
information is not used in this mode. The packet is dropped only if the source address is not reachable through any interface on
that router. This mode has options of including the default route check or excluding the default route check. Including the default
route check is the default conguration mode. Use the rpf-mode strict command for this mode. To exclude the default route
check, you must include the option to urpf-exclude-default after entering the command rpf-mode strict explicitly.
Conguration considerations for uRPF
The following
conguration considerations apply to unicast Reverse Path Forwarding (uRPF) on supported Brocade devices.
The following are general considerations for uRPF:
• uRPF works on the layer 3 interface level (layer 3 physical interface or layer 3 VE interface).
• uRPF is VRF-aware.
• If a VLAN has multiple ports, the uRPF check will not identify packets coming in from dierent ports within the same VLAN,
since a VLAN is considered as having a single Layer 3 interface.
• uRPF can be congured along with PBR, routing protocol congurations, and multicast congurations.
• uRPF is not supported on tunnel interfaces.
• Tunnel keep-alive packets will be dropped in the hardware if uRPF is congured.
FastIron Ethernet Switch Layer 3 Routing
53-1003627-04 589
To Next Page
Loading...
Need help?
General
