Unicast Reverse Path Forwarding (uRPF)

Latest reply: Apr 19, 2019 07:58:05 112 2 1 0

Normally when your router receives unicast IP packets it only cares about one thing:

What is the destination IP address of this IP packet so I can forward it?

If the IP packet has to be routed it will check the routing table for the destination IP address,
select the correct interface and it will be forwarded. Your router really doesn’t care about
source IP addresses as it’s not important for forwarding decisions.


If the IP packet has to be routed it will check the routing table for the destination IP address,
select the correct interface and it will be forwarded. Your router really doesn’t care about
source IP addresses as it’s not important for forwarding decisions.


When you use multicast, checking the source of multicast IP packets is a very important
topic. Right now I’m only talking about unicast IP packets.


uRPF is a security feature that prevents these spooတng attacks. Whenever your router receives
an IP packet it will check if it has a matching entry in the routing table for the source IP address.
If it doesn’t match, the packet will be discarded. uRPF has two modes:

* Strict mode
* Loose mode


Strict mode means that that router will perform two checks for all incoming packets on a certain
interface:
Do I have a matching entry for the source in the routing table?
Do I use the same interface to reach this source as where I received this packet on?
When the incoming IP packets passes both checks, it will be permitted. Otherwise it will be
dropped. This is perfectly တne for IGP routing protocols since they use the shortest path to the
source of IP packets. The interface that you use to reach the source will be the same as the
interface where you will receive the packets on.




Loose Mode means that the router will perform only a single check when it receives an IP
packet on an interface:
Do I have a matching entry for the source in the routing table?
When it passed this check, the packet is permitted. It doesn’t matter if we use this interface to
reach the source or not. Loose mode is useful when you are connected to more than one ISP
and you use asymmetric routing. The only exception is the null0 interface, if you have any
sources with the null0 interface as the outgoing interface then the packets will be dropped.


Additional Features


Logging and Exemptions: uRPF allows the usage of an access-list so you can decide what
sources it should check and if required, log the packets that are dropped using access-list
logging.
Self-pinging: Allow the router to ping itself using uRPF strict mode on the interface.
Default route: You can conတgure uRPF to check source IP addresses against a default route

You can use this when you want to accept all packets from your internet connection while

protecting yourself against spoofed packets with source IP address from your internal
network.


  • x
  • convention:

Created Apr 19, 2019 07:36:34 Helpful(0) Helpful(0)

Good example , Thanks for your sharing .
  • x
  • convention:

Created Apr 19, 2019 07:58:05 Helpful(0) Helpful(0)

Posted by BOBOSHEN at 2019-04-19 01:36 Good example , Thanks for your sharing .
thanks for your motivation
  • x
  • convention:

Best Regards
IP Data communication TAC Middle East

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top