uRPF – Unicast Reverse Path Forwarding [Explained]
What is uRPF:
It’s a security feature that works by enabling a router to verify the reachability of the source address in packets that being forwarded on a specific interface. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded.
When using the Unicast RPF feature, all traffic that comes into a configured interface is checked to ensure that the interface that would be used to route traffic back to the source address is the same interface that was used to receive the traffic.
uRPF modes:
Unicast RPF function in one of three different modes:
- strict mode
- loose mode
- VRF mode.
– Strict Mode:
When uRPF strict mode is turned on for any interface, the router will compare the source address and inbound interface for any packet entering any interface. If the source address and inbound interface match the FIB entry, the packet is forwarded. If they do not match what is in the FIB, the packet is silently discarded.
Spoofed source addresses are caused either by denial-of-service (DoS) attacks or misconfigured end-user devices. Turning on uRPF ensures that only packets with valid source addresses are permitted through the interface.
– Loose Mode:
The one caveat of using Unicast RPF is that it only permits traffic whose return path (source interface and address) matches the best reverse path (symmetric routing), thus it does not work well when multiple connections (multi-homing) exist.
To deal with this problem, the second version of Unicast RPF was later developed called “loose mode”: when using this mode only the address has matched against the FIB (Forwarding Information Base) allowing the traffic to be received on any interface.
This option is used when the network operator is interested in dropping non-routed address space and is typically used on routers carrying the full BGP table or when customers are multi-homed on to the service provider network using BGP.
uRPF Configuration:
– Strict mode Configuration:
The main prerequisite of Unicast RPF is that it relies on the Forwarding Information Base (FIB) that is generated by the Cisco Express Forwarding (CEF) feature; because of this, CEF must be enabled before Unicast RPF.
router(config)#ip cef [distributed] |
router(config)#interface interface-id router(config-if)#ip verify unicast source reachable-via rx [access-list-number] |
– Loose mode Configuration:
router(config)#ip cef [distributed] |
router(config)#interface interface-id router(config-if)# ip verify unicast source reachable-via any [access-list-number] |
References:
tools.cisco.com/security/center/resources/unicast_reverse_path_forwarding
www.ciscopress.com/articles/article.asp?p=1725270
nsrc.org/workshops/2019/mnnog1/riso/networking/routing-security/en/labs/uRPF.html