Thursday, 18 June 2020

uRPF and its modes : Strict vs Loose

Unicast Reverse Path Forwarding (Unicast RPF) Is a security feature to address the spoofed address attack. it is recommended to configure it on the L3 interfaces of the routers to verify the reach-ability of the source address in packets. Packet will be dropped in case source IP address is not valid. 

Unicast RPF works in one of below modes:

1. Strict mode: Router will perform two checks:. 


    A. Router checks the routing entry for the source address of the packet and will drop the packet in case no route is present on the routing table for the source address.
    B. Router will ensure that the source of incoming packet is reachable via same interface. Router will drop the packet in case source address is learned via different interface than from the one, packet in ingress ed.

Command:- 

Int eth1/1
ip verify unicast reverse-path    --<<< Old command but still available on some platforms
      or
IP verify unicast source reachable-via rx

ip verify unicast reverse-path (Unicast RPF)

2.  Loose mode: Only make sure that route for the source address is present in the routing table.

Int eth1/1
IP verify unicast source reachable-via Any

Note:-  Above matching criteria is not applicable for default route and will not allow traffic where source is only matching the default route. the " Allow-default" keyword is used to change this behaviour and traffic will be allowed where source address is matching only the default route.






No comments:

Post a Comment