Zte ZXR10 8900 Series - URPF Configuration; URPF Overview

To Next Page

To Previous Page

Chapter17

URPFConfiguration

TableofContents

URPFOverview................................................................157

ConguringURPF.............................................................158

URPFCongurationExample.............................................159

URPFMaintenanceandDiagnosis.......................................160

URPFOverview

URPFservestopreventattackswithsourceaddressspoongto

thenetwork.Term"Reverse"isrelativetonormalroutesearch.A

routerwillgetdestinationaddressofthepacketandsearchfora

routetothedestinationonceitreceivesapacket.Itwillforward

thepacketifsucharouteisfoundorsimplydiscardthepacketif

thereisnoavailableroutetothedestination.

WorkingPrincipleURPFgetsthesourceaddressandingressinterfaceofthepacket

andusessourceaddressasdestinationaddresstolookupinthe

forwardingtableandseeiftheinterfacecorrespondingtothe

sourceaddressmatchestheingressinterface.Wheninterface

doesnotmatchtheingressinterface,itwillregardsourceaddress

asafalseaddressandthendiscardthepacket.Inthisway,URPF

caneffectivelypreventmaliciousattacksbymodifyingthesource

addresstothenetwork.

Module1AsimplenetworkmoduleisshowninFigure37.

FIGURE37SOURCEADDRESSSNOOPING1

WhenS1usesapacketwithafalsesourceaddress2.2.2.1to

initiatearequesttoServerS2whichwillsendthepackettoreal

address2.2.2.1(thatis,S3)whilerespondingtotherequest.This

illegalpacketwillattackbothS2andS3.

Attackersmaywageanattackbyrandomlychangingsourcead-

dressinthepacket.Inthisexample,sourceaddressisoneof

reservednon-globalIPaddressesandthusisunreachable.Alegal

CondentialandProprietaryInformationofZTECORPORATION157

Other manuals for Zte ZXR10 8900 Series