Overview
Unicast Reverse Path Forwarding (uRPF) is used to limit malicious traffic in a network by blocking packets transiting a router having unknown source IP addresses. The design intention of uRPF is to block IP packets with spoofed or malformed source IP addresses. It does this by checking the source IP address of packets arriving on an interface and determining whether the network of the source IP address is reachable using Layer 2 information in the Forwarding Information Base (FIB). The FIB is generated by Cisco Express Forwarding (CEF). If the network of the packet source IP address is not reachable, the packet is dropped.
When forwarding traffic, by default, routers check for the reachability of a destination IP address prior to forwarding IP packets. With uRPF, the router validates reachability of the source IP address as well. uRPF can also be configured to verify whether the interface through which the packets entering the router is what the router would normally use to send traffic back to IP addresses in that network.
For uRPF to function, CEF must be enabled globally (using the global configuration
command ip cef
).
How uRPF Works
The uRPF feature helps to mitigate problems caused by the introduction of malformed or forged/spoofed IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. A number of common Denial-of-Service (DoS) attacks such as smurf attacks, tribal Flood Network (TFN) attacks take advantage of forged or rapidly changing source IP addresses.
uRPF depends on CEF being enabled because the lookup relies on the FIB which is generated by CEF. uRPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
uRPF checks to see if any packet received at a router interface arrives on the best return path to the source of the packet. uRPF does this by carrying out a reverse lookup in the CEF table. If the packet is received from one of the reverse path routes, the packet is forwarded as normal.
If a reverse path for the packet is not found, the packet is dropped or forwarded depending on whether an ACL is specified in the URF configuration.
With uRPF, all equal cost return paths are considered valid. uRPF works in cases where multiple return paths exist provided that each path is equal to others in terms of routing cost, i.e. number of hops, cost etc. and as long as the route is in the FIB. uRPF also functions where EIGRP is configured with unequal cost routing.
Unicast RPF Operation Modes
uRPF operates in three modes: strict, loose and VRF modes. Some modes may not be available on some Cisco router models.
- Strict mode: uRPF checks to ensure that the source IP address is reachable based on the FIB table and the packet must also be arriving on the same interface that the router would use to send traffic back to that IP address. Strict mode should only be used in conditions where no possibility of asynchronous routing exists or else packets will be dropped. This is likely to occur in BGP routing.
- Loose mode: The router only verifies that the source IP address is reachable based on the FIB entry. The default route or route through the interface Null0 are not included in this reachability check. If the route is not in the RIB, the packet is dropped.
- VRF mode: This mode is similar to loose mode operation but is deployed in VRF environments. Interfaces in the same VRF as the receiving interface are examined. This is commonly used in ISP networks for MPLS and BGP.
If an ACL is referenced in the uRPF configuration, it is checked when uRPF fails. If uRPF check fails and the packet is permitted by an ACL, it is transmitted. If the ACL is configured to block the traffic the packet is dropped after uRPF failure.
uRPF Configuration
uRPF is configured on the ingress interface using the command:
ip verify unicast source reachable-via <rx | any> <allow-default> <allow-self-ping> <ACL>
Where:
- rx: enables strict mode
- any: enables loose mode
- allow-default: allows the use of a default route.
By default, uRPF drops packets whose source IP address/network is reachable only
via the default route. uRPF supports
allow-default
to accept a default route as a valid route. It can be used in strict mode or loose mode. - allow-self-ping: allows self-pinging when checking reachability of IP address. Cisco specifically discourages configuration of uRPF with allow-self-ping as it introduces security loopholes that can be leveraged for Denial of Service (DoS) attacks.
R1(config)#interface g0/0
R1(config-if)#ip verify unicast source reachable-via any
uRPF with Access Control Lists
To permit traffic that fails a uRPF check and is permitted by an access control list:
- Configure an access control list that permits traffic from the source network.
- Configure uRPF and reference the ACL.
R2(config)#ip access-list standard 10
R2(config-std-nacl)#10 permit 192.168.10.0 0.0.0.255 log
R2(config-if)#ip verify unicast source reachable-via any 10
------------------------------------
!R1
R1#ping 192.168.23.2 source lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.....
Success rate is 0 percent (0/5)
R1#
----------------------------------------------
!R2
*Apr 15 23:32:22.939: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.10.1 -> 192.168.23.2, 1 packet
*Apr 15 23:38:06.071: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.10.1 -> 192.168.23.2, 4 packets
Verification
show ip interface <interface-id>
The following information can be learned from the output of the command
show ip interface <interface-id>
:
- The number of packets dropped by the action of uRPF.
- uRPF is confirmed as being operational
- The number of packets that were dropped by uRPF but permitted by an ACL
R2#show ip interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.2/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: uRPF, MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
IP verify source reachable-via ANY, ACL 10
5 verification drops
5 suppressed verification drops
0 verification drop-rate
show cef interface <interface-id>
R2#show cef interface g0/0
GigabitEthernet0/0 is up (if_number 4)
Corresponding hwidb fast_if_number 4
Corresponding hwidb firstsw->if_number 4
Internet address is 192.168.1.2/30
ICMP redirects are never sent
Per packet load-sharing is disabled
IP unicast RPF check is enabled
Input features: uRPF
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is GigabitEthernet0/0
Fast switching type 1, interface type 27
IP CEF switching enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0x4000, Output fast flags 0x0
ifindex 4(4)
Slot Slot unit 0 VC -1
IP MTU 1500
show ip traffic
R2#show ip traffic
IP statistics:
Rcvd: 739 total, 733 local destination
0 format errors, 0 checksum errors, 1 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 fragments, 0 couldn't fragment
Bcast: 0 received, 0 sent
Mcast: 712 received, 721 sent
Sent: 749 generated, 55 forwarded
Drop: 1 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 5 unicast RPF, 0 forced drop
0 options denied
Drop: 0 packets with source IP address zero
Drop: 0 packets with internal loop back IP address
0 physical broadcast
Reinj: 0 in input feature path, 0 in output feature path
show ip verify statistics
(Provides uRPF statistics on a PIX | ASA | FWSM firewall
Access Control Lists and Logging
If a packet fails the uRPF check, uRPF checks the linked ACL to see if the packet should be dropped (ACL deny statement) or forwarded (permit statement). Regardless of whether the packet is dropped or forwarded, the packet is counted in global IP traffic statistics for unicast drops and in interface statistics for uRPF. To log uRPF events, specify the logging option for the ACL ACE. Using log info, administrators can view source addresses that are used in the attack, the time at which packets arrived on an interface.
Note: Logging uRPF events for attacks that have a high rate of forged packets can degrade performance of the device.
Per-Interface Statistics
Per-interface statistics allow tracking of uRPF drops and uRPF suppressed drops. These statistics help identify the interface that is the entry point of the attacks. Unicast suppressed drops are the count of packets that failed uRPF check but were permitted by ACLs.
R2#show ip interface g0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.2/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: uRPF, MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
IP verify source reachable-via ANY, ACL 10
5 verification drops
5 suppressed verification drops
0 verification drop-rate
Implementing Unicast RPF
uRPF implementation principles;
- Packets must be received on an interface that has the best return path to the source (symmetric routing). There must be a route entry in the FIB matching the route to the receiving interface. ACLs permit uRPF to be used when packets are known to be arriving by specific, less optimal asymmetric input paths.
- IP source addresses at the receiving interface must match the routing entry for the interface.
- uRPF is an input function and is applied only on the input interface of a router at the upstream end of the network.
Where to use uRPF
uRPF does not inspect IP packets encapsulated in tunnels such as GRE, L2TP, PPTP. Configure uRPF so that it processes network traffic only after tunneling and encryption headers have been stripped from the packets. uRPF can be used in any single-homed environment (symmetric routing). In such a case, uRPF is best used at the network perimeter for Internet, intranet and extranet. uRPF on an ingress interface from the Internet protects an enterprise from packets with malformed or spoofed source IP addresses from the Internet. If implemented in an ISP, it protects the ISP from spoofed packets from an enterprise.
uRPF Types
There are two types of uRPF:
- Ingress Filtering: Ingress filtering is applied to incoming packets at the edge of a network. It's used to prevent IP spoofing attacks from outside the network.
- Egress Filtering: Egress filtering is applied to outgoing packets at the edge of a network. It's used to prevent IP spoofing attacks from within the network.
Benefits of uRPF
uRPF provides several benefits, including:
- Prevention of IP Spoofing Attacks: uRPF prevents IP spoofing attacks by verifying the source IP address of incoming packets.
- Denial of Service (DoS) Attack Prevention: uRPF can prevent DoS attacks by dropping packets with spoofed source IP addresses.
- Man-in-the-Middle (MitM) Attack Prevention: uRPF can prevent MitM attacks by dropping packets with spoofed source IP addresses.
Limitations of uRPF
uRPF has several limitations, including:
- Asymmetric Routing: uRPF can cause issues with asymmetric routing, where the return path of a packet is different from the forward path.
- Load Balancing: uRPF can cause issues with load balancing, where a load balancer is used to distribute traffic across multiple servers.
- Network Complexity: uRPF can add complexity to network configuration and management.
Recommended Locations to Configure Unicast Reverse Path Forwarding (uRPF)
Location | Description | Reason for Configuration |
---|---|---|
Edge Routers | Routers connecting the internal network to external networks (e.g., the Internet). | Filters out spoofed packets from external sources before they enter the internal network, preventing attacks. |
Distribution Layer Routers | Routers that aggregate traffic from access layer switches and route it to the core layer. | Ensures that traffic from different access points is validated before being forwarded to the core network. |
Core Routers (Selective) | Routers responsible for high-speed data transfer between different parts of the network. | Validates traffic passing through the core, especially on routers connecting to multiple distribution layers or external networks. |
Interconnected Networks | Routers connecting different segments of a network or different networks (e.g., branch offices). | Validates the source of packets from different segments or external networks, reducing the risk of spoofed traffic. |
Access Layer Routers (Cautiously) | Routers connecting end devices (like computers and printers) to the network. | Can be configured in high-risk environments to validate all incoming traffic, though less common. |
Considerations for Configuration
Consideration | Details |
---|---|
Network Design | Consider overall network design and traffic patterns to avoid dropping legitimate traffic. |
Routing Protocols | Ensure compatibility of routing protocols with uRPF; keep the routing table accurate and up-to-date. |
Testing | Test configurations in a lab or staging environment before production deployment. |
Monitoring and Logging | Implement monitoring and logging to track uRPF effectiveness and identify any legitimate traffic drops. |
Best Practices for Implementing uRPF
To implement uRPF effectively, follow these best practices:
- Configure uRPF on Edge Routers: Configure uRPF on edge routers to prevent IP spoofing attacks from outside the network.
- Use Strict Mode: Use strict mode to provide maximum security, but be aware of potential issues with legitimate traffic.
- Monitor and Analyze Traffic: Monitor and analyze traffic to identify potential issues with uRPF.
- Configure Exceptions: Configure exceptions for specific IP addresses or networks to bypass uRPF checks.
Optimizing uRPF with ACLs
To leverage the available features of routers in providing protection against source IP address spoofing, it is recommended uRPF be configured along with the following:
- Configure ACLs to drop IP packets that have invalid source addresses (ingress filtering)
- Configure ACLs to permit packets that fail the uRPF checks to allow specific traffic from known asymmetric routed sources.
- Configure ACLs to track uRPF events by adding the logging option to the ACL. This logging of denied or forwarded (suppressed drops) can provide additional information about network attacks.
Restrictions to uRPF
Basic restrictions to applying uRPF;
- Clients should not be multi-homed to the same router.
- Ensure that packets flowing up the link (to the Internet) match the route advertised out the link.
- uRPF is available on platforms that support CEF.