URPF prevents network attacks based on source address spoofing and can be performed in strict or loose mode.
Unicast Reverse Path Forwarding (URPF) is a technology used to defend against network attacks based on source address spoofing.
Generally, upon receiving a packet, a router first obtains the destination IP address of the packet and then searches the forwarding table for a route to the destination address. If the router finds such a route, it forwards the packet; otherwise, it discards the packet. A URPF-enabled router, however, obtains the source IP address of a received packet and searches for a route to the source address. If the router fails to find the route, it considers that the source address is a forged one and discards the packet. In this manner, URPF can effectively protect against malicious attacks that are launched by changing the source addresses of packets.
URPF works by enabling a device to verify the reachability of the source address in a received packet. If the source IP address is unreachable, the packet is discarded.
In a complex network environment, URPF cannot work normally in the case of asymmetrical routes.
To counteract the problem, the NE9000 supports two URPF modes:
l Strict mode
l Loose mode
Strict mode
In strict URPF mode, a data packet can pass the URPF check only when the forwarding table contains a matching entry and the outbound interface of the entry matches the inbound interface of the packet.
Loose mode
In loose URPF mode, a packet can pass the URPF check as long as there is a route with the destination address that is the source address of the packet, regardless of whether the outbound interface of the route and the inbound interface of the packet match.
For this project, we can configure the loose mode on the link which is connect between the CE and PE, PE and P, because there one routing maybe have multi-link.
For the interface which connect the end user, if there only have single link, we can enable the strict mode.
The configuration example is as below:
Table 1-1 URPF Configuration
# interface interface-type interface-number ip urpf{ loose | strict } [ allow-default] [ statistics enable ], commit # |