Overview
Unicast Reverse Path Forwarding (uRPF) is used to limit malicious traffic in a network by blocking packets transiting a router having unknown source IP addresses. The design intention of uRPF is to block IP packets with spoofed or malformed source IP addresses. It does this by checking the source IP address of packets arriving on an interface and determining whether the network of the source IP address is reachable using Layer 2 information in the Forwarding Information Base (FIB). The FIB is generated by Cisco Express Forwarding (CEF). If the network of the packet source IP address is not reachable, the packet is dropped.
When forwarding traffic, by default, routers checks for the reachability of a destination
IP address prior to forwarding IP packets. With uRPF, the router validates reachability
of the source IP address as well. uRPF can also be configured to verify whether the
interface through which the packets entering the router is what the router would
normally use to send traffic back to IP addresses in that network.
For uRPF to function, CEF must be enabled globally (using the global configuration
command ip cef).
How uRPF Works
The uRPF feature helps to mitigate problems caused by the introduction of malformed or forged/spoofed IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. A number of common Denial-of-Service (DoS) attacks such as smurf attacks, tribal Flood Network (TFN) attacks take advantage of forged or rapidly changing source IP addresses.
uRPF depends on CEF being enabled because the lookup relies on the FIB which is generated by CEF. uRPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
uRPF checks to see if any packet received at a router interface arrives on the best return path to the source of the packet. uRPF does this by carrying out a reverse lookup in the CEF table. If the packet is received from one of the reverse path routes, the packet is forwarded as normal.
If a reverse path for the packet is not found, the packet is dropped or forwarded depending on whether an ACL is specified in the URF configuration.
With uRPF, all equal cost return paths are considered valid. uRPF works in cases where multiple return paths exist provided that each path is equal to others in terms of routing cost, i.e. number of hops, weight etc.and as long as the route is in the FIB. uRPF also functions where EIGRP variants are being used with unequal cost routes back to the packet source IP address.
Unicast RPF Operation Modes
uRPF operates in three modes; strict, loose and VRF modes. Some modes may not be available on some Cisco router models.
- Strict mode: uRPF checks to ensure that the source IP address is reachable based on the FIB table and the packet must also be arriving on the same interface that the router would use to send traffic back to that IP address. Strict mode should only be used in conditions where no possibility of asynchronous routing exists or else packets will be dropped. This is likely to occur in BGP routing.
- Loose mode: The router only verifies that the source IP address is reachable based on the FIB entry. The default route or route through the interface Null0 are not included in this reachability check. If the route is not in the RIB, the packet is dropped.
- VRF mode: This mode is similar to loose mode operation but is deployed in VRF environments. Interfaces in the same VRF as the receiving interface are examined. This is commonly used in ISP networks for MPLS and BGP.
By default, uRPF drops packets whose source IP address/network is reachable only
via the default route. uRPF supports allow-default to accept
a default route as a valid route.
If an ACL is referenced in the uRPF configuration, it is checked when uRPF fails. If uRPF check fails and the packet is permitted by an ACL, it is transmitted. If the ACL is configured to block the traffic the packet is dropped after uRPF failure.
uRPF Configuration
uRPF is configured on the ingress interface using the command:
ip verify unicast source reachable-via <rx | any> <allow-default> <allow-self-ping> <ACL>
Where:
- rx: enables strict mode
- any: enables loose mode
- allow-default: allows the use of a default route. It can be used in strict mode or loose mode.
- allow-self-ping: allows self-pinging when checking reachability of IP address. Cisco specifically discourages configuration of uRPF with allow-self-ping as it introduces security loopholes that can be leveraged for Denial of Service (DoS) attacks.
R1(config)#interface g0/0
R1(config-if)#ip verify unicast source reachable-via any
To permit traffic that fails a uRPF check and is permitted by an access control list:
- Configure an access control list that permits traffic from the source network.
- Configure uRPF and reference the ACL.
R2(config)#ip access-list standard 10
R2(config-std-nacl)#10 permit 192.168.10.0 0.0.0.255 log
R2(config-if)#ip verify unicast source reachable-via any 10
------------------------------------
!R1
R1#ping 192.168.23.2 source lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.....
Success rate is 0 percent (0/5)
R1#
----------------------------------------------
!R2
*Apr 15 23:32:22.939: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.10.1 -> 192.168.23.2, 1 packet
*Apr 15 23:38:06.071: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.10.1 -> 192.168.23.2, 4 packets
Verification
show ip interface <interface-id>
The following information can be learned from the output of the command
show ip interface <interface-id>:
- The number of packets dropped by the action of uRPF.
- uRPF is confirmed as being operational
- The number of packets that were dropped by uRPF but permitted by an ACL
R2#show ip interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.2/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: uRPF, MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
IP verify source reachable-via ANY, ACL 10
5 verification drops
5 suppressed verification drops
0 verification drop-rate
show cef interface <interface-id>
R2#show cef interface g0/0
GigabitEthernet0/0 is up (if_number 4)
Corresponding hwidb fast_if_number 4
Corresponding hwidb firstsw->if_number 4
Internet address is 192.168.1.2/30
ICMP redirects are never sent
Per packet load-sharing is disabled
IP unicast RPF check is enabled
Input features: uRPF
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is GigabitEthernet0/0
Fast switching type 1, interface type 27
IP CEF switching enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0x4000, Output fast flags 0x0
ifindex 4(4)
Slot Slot unit 0 VC -1
IP MTU 1500
show ip traffic
R2#show ip traffic
IP statistics:
Rcvd: 739 total, 733 local destination
0 format errors, 0 checksum errors, 1 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 fragments, 0 couldn't fragment
Bcast: 0 received, 0 sent
Mcast: 712 received, 721 sent
Sent: 749 generated, 55 forwarded
Drop: 1 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 5 unicast RPF, 0 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
Reinj: 0 in input feature path, 0 in output feature path
show ip verify statistics
(Provides uRPF statistics on a PIX | ASA | FWSM firewall
Access Control Lists and Logging
If a packet fails the uRPF check, uRPF checks the linked ACL to see if the packet should be dropped (ACL deny statement) or forwarded (permit statement). Regardless of whether the packet is dropped or forwarded, the packet is counted in global IP traffic statistics for unicast drops and in interface statistics for uRPF. To log uRPF events, specify the logging option for the ACL ACE. Using log info, administrators can view source addresses that are used in the attack, the time at which packets arrived on an interface.
Note: Logging uRPF events for attacks that have a high rate of forged packets can degrade performance of the device.
Per-Interface Statistics
Per-inteface statistics allow tracking of uRPF drops and uRPF suppressed drops. These statistics help identify the interface that is the entry point of the attacks. Unicast suppressed drops are the count of packets that failed uRPF check but were permitted by ACLs.
R2#show ip interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.2/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: uRPF, MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
IP verify source reachable-via ANY, ACL 10
5 verification drops
5 suppressed verification drops
0 verification drop-rate
Implementing Unicast RPF
uRPF implementation principles;
- Packets must be received on an interface that has the best return path to the source (symmetric routing). There must be a router in the FIB matching the route to the receiving interface. ACLs permit uRPF to be used when packets are known to be arriving by specific, less optimal asymmetric input paths.
- IP source addresses at the receiving interface must match the routing entry for the interface.
- uRPF is an input function and is applied only on the input interface of a router at the upstream end of the network.
Where to use uRPF
uRPF does not inspect IP packets encapsulated in tunnels such as GRE, L2TP, PPTP. Configure uRPF so that it processes network traffic only after tunneling and encryption headers have been stripped from the packets. uRPF can be used in any single-homed environment (symmetric routing). In such a case, uRPF is best used at the network perimeter for Internet, intranet and extranet. uRPF on an ingress interface from the Internet protects an enterprise from packets with malformed or spoofed source IP addresses from the Internet. If implemented in an ISP, it protects the ISP from spoofed packets from an enterprise.
Optimizing uRPF with ACLs
To leverage the available features of routers in providing protection against source IP address spoofing, it is recommended uRPF be configured along with the following:
- Configure ACLs to drop IP packets that have invalid source addresses (ingress filtering)
- Configure ACLs to permit packets that fail the uRPF checks to allow specific traffic from known asymmetric routed sources.
- Configure ACLs to track uRPF events by adding the logging option to the ACL. This logging of denied or forwarded (suppressed drops) can provide additional information about network attacks.
Restrictions to uRPF
Basic restrictions to applying uRPF;
- Clients should not be multi-homed to the same router.
- Ensure that packets flowing up the link (to the Internet) match the route advertised out the link.
- uRPF is available on platforms that support CEF.
No comments:
Post a Comment