Login
- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-Password control configuration
- 03-Public key management configuration
- 04-PKI configuration
- 05-IPsec configuration
- 06-SSH configuration
- 07-IP source guard configuration
- 08-ARP attack protection configuration
- 09-uRPF configuration
- 10-SSL configuration
- 11-Crypto engine configuration
- 12-FIPS configuration
- 13-Portal configuration
- 14-MACsec configuration
- 15-Attack detection and prevention configuration
- 16-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-uRPF configuration | 106.07 KB |
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1 Source address spoofing attack
As shown in Figure 1, an attacker on Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate, and Router B sends response packets to IP address 2.2.2.1 (Router C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers simultaneously to block connections or even break down the network.
uRPF can prevent these source address spoofing attacks. It checks whether an interface that receives a packet is the output interface of the FIB entry that matches the source address of the packet. If not, uRPF considers it a spoofing attack and discards the packet.
uRPF check modes
uRPF includes strict and loose modes. The switch supports only the strict mode.
· Strict uRPF check—To pass strict uRPF check, the source address of a packet and the receiving interface must match the destination address and output interface of a FIB entry. In some scenarios (for example, asymmetrical routing), strict uRPF might discard valid packets. Strict uRPF is often deployed between a PE and a CE.
Strict uRPF check can further perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check. Link layer check is applicable to ISP devices where a Layer 3 Ethernet interface connects a large number of PCs. Loose uRPF does not support link layer check.
· Loose uRPF check—To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry. Loose uRPF can avoid discarding valid packets, but might let go attack packets. Loose uRPF is often deployed between ISPs, especially in asymmetrical routing.
uRPF operation
uRPF does not check multicast packets.
uRPF works as follows:
1. uRPF checks source address validity:
¡ uRPF discards packets with a broadcast source address.
¡ uRPF discards packets with an all-zero source address and a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)
2. If the source IP address of an incoming packet is found in the FIB table:
uRPF does a reverse route lookup for routes to the source address of the packet. If at least one outgoing interface of such a route matches the receiving interface, the packet passes the check. Otherwise, the packet is discarded. The reverse route lookup refers to searching the outgoing interface whose destination IP address is the source IP address of the packet.
3. If the packet has its source IP address found in the FIB table and passes the check, uRPF starts the link layer check:
¡ If the link-check keyword is not configured, the packet passes the check and is forwarded.
¡ If the link-check keyword is configured, uRPF compares the MAC address of the next hop in the FIB entry with the source MAC address of the packet. If they are the same, the packet passes the check. Otherwise, the packet is rejected.
Configuration procedure
When you configure uRPF, follow these guidelines:
· The switch does not support uRPF check when more than eight ECMP routes exist. For more information about ECMP routing, see Layer 3—IP Routing Configuration Guide.
· When the system operates in standard mode, do not configure URPF on a VLAN interface bound to a VPN instance that has no reserved VLAN configured. For more information about system operating modes, see Fundamentals Configuration Guide. For more information about the reserved VLAN, see MPLS Configuration Guide.
· The link layer check feature (configured by using the link-check keyword) does not support ECMP routing. If ECMP routes exist, disable the link layer check feature.
· Strict uRPF check takes effect only on a VLAN interface.
· uRPF checks only incoming packets on an interface.
To enable uRPF on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
1. Enter interface view. |
interface interface-type interface-number |
N/A |
|
2. Enable uRPF on the interface. |
ip urpf strict [ link-check ] |
By default, uRPF is disabled. |
Displaying and maintaining uRPF
Execute display commands in any view.
|
Task |
Command |
|
Display uRPF configuration (in standalone mode). |
display ip urpf interface interface-type interface-number [ slot slot-number [ cpu cpu-number ] ] |
|
Display uRPF configuration (in IRF mode). |
display ip urpf interface interface-type interface-number [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
Configuration example
By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. This example assumes that all these interfaces are already up.
Network requirements
As shown in Figure 2, configure strict uRPF check on VLAN-interface 10 of Switch B.
Configure strict uRPF check on VLAN-interface 10 of Switch A.
Configuration procedure
1. Configure Switch B:
# Create VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] quit
# Specify the IP address of VLAN-interface 10.
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] ip address 1.1.1.2 255.255.255.0
# Configure strict uRPF check on VLAN-interface 10.
[SwitchB-Vlan-interface10] ip urpf strict
2. Configure Switch A:
# Create VLAN 10.
<SwitchA> system view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
# Specify the IP address of VLAN-interface 10.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 1.1.1.1 255.255.255.0
# Configure strict uRPF check on VLAN-interface 10.
[SwitchA-Vlan-interface10] ip urpf strict
