Got it
Huawei Enterprise Support Community
Community Forums Intelligent Collaboration
SE2900: Details about URP...

SE2900: Details about URPF parameter in SET IPSPARA command

Created: Mar 2, 2021 06:41:35Latest reply: Mar 2, 2021 06:53:43 566 3 0 0 0
  HiCoins as reward: 0 (problem unresolved)
View the author 1#

Hi


We are using Huawei SE2900 SBC in our network. We want to enhance ecurity by making URPF=STRICT (currently it is set to LOOSE). We want to know the details and impact of making this parameter STRICT.


Any help would be appreciated.

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Does the ideahub support the HiVoice?
Next: HUAWEI IdeaHub/ Huawei Bar 300 integration wtih Microsoft Teams
Featured Answers

Recommended answer

(0) (0)
Y_T_Z
Admin Created Mar 2, 2021 06:50:59

Hi, SyedAasimAbbas!
Welcome to our community!

About the parameter, please see the following picture.

SET IPSPARA


If you want to learn more about it, see the link.

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100118110&id=EN-US_MMLREF_0084359960&lang=en


Best wishes!


View more
  • x
  • convention:
All Answers
(0) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Mar 2, 2021 06:43:05

Hello,

URPF Strict Check

The URPF strict check is recommended in the case of route symmetry. After the URPF strict check is enabled, packets can pass the URPF check only when the forwarding table contains the related entries, and matched interfaces exist.

If there is only one path between two network edge routers (FW), it indicates that the routes are symmetrical. In this case, using the URPF strict check can effectively ensure network security.

As shown in Figure 1, AS1, AS2, and AS3 are uni-directionally connected. Enable URPF on interface (1) and interface (2) on sysname_C to protect AS3 from source address spoofing attacks from AS1 and AS2.

Assume that PC in AS1 generates a packet with the pseudo source IP address 10.2.2.2 and sends the packet to the Server in AS3. After sysname_C receives this packet, it checks the inbound interface and source IP address of the packet, and determines that according to the inbound interface and source IP address, the packet with the source address 10.2.2.2 must enter the FW through interface (2) rather than interface (1). sysname_C then considers the packet as a pseudo packet and discards it.

The packet sent from AS2 to the Server is forwarded normally after passing through the URPF check.

Figure 1 URPF applied on a single-homed client
sec_eudemon_ag_urpf_0002_fig01.png

URPF Loose Check

If route symmetry is not available, use the URPF loose check. The URPF check does not check whether packets enter the FW through the matched inbound interfaces. Packets can pass the loose check as long as there is a route to the source IP address.

Route symmetry cannot be guaranteed in two situations: single-homed client with a single ISP and multi-homed client with several ISPs.

  • Multi-homed client with a single ISP

    As shown in Figure 2, multiple connections are set up between Enterprise and ISP to ensure reliability. In this case, route symmetry between the Enterprise and the two ISP FWs cannot be ensured. Hence, you must use the URPF loose check.

    URPF loose check provides high security. When URPF loose check is enabled on interface (1) of FW C, and a packet arrives at FW C through FW A, the packet is not discarded if FW C identifies that there is a route destined for the source IP address of the packet on FW C; the packet is discarded if FW C identifies that there is no route destined for the source IP address of the packet on FW C.

    Figure 2 URPF applied on a single-homed client with a single ISP
    sec_eudemon_ag_urpf_0002_fig02.png

  • Multi-homed client with several ISPs

    As shown in Figure 3, Enterprise is connected to several ISPs. Hence, route symmetry between the Enterprise and the two ISP FWs cannot be ensured. Here, you must use the URPF loose check.

    Figure 3 URPF applied on a multi-homed client with several ISPs
    sec_eudemon_ag_urpf_0002_fig03.png

  • In addition, URPF has the following features:

    • You can also specify a few source addresses in the ACL to allow packets with these addresses to pass the URPF check in any situation. That is, FW supports specifying the packets without being discarded by the URPF check through ACL

    • If FWs of several users share only one default route to the ISP FW, you must configure default routes to ensure the FWs to pass the check.

View more
  • x
  • convention:
(0) (0)
3#
Y_T_Z
Y_T_Z Admin Created Mar 2, 2021 06:50:59

Hi, SyedAasimAbbas!
Welcome to our community!

About the parameter, please see the following picture.

SET IPSPARA


If you want to learn more about it, see the link.

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100118110&id=EN-US_MMLREF_0084359960&lang=en


Best wishes!


View more
  • x
  • convention:
(0) (0)
4#
SyedAasimAbbas
SyedAasimAbbas Created Mar 2, 2021 06:53:43

@user_4146019
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.