Unicast Reverse Path Forwarding Check (Urpf) - Alcatel-Lucent 7450 Configuration Manual

Unicast Reverse Path Forwarding Check (uRPF)

This section applies to the 7750-SR, 7710-SR, 7950-SR and the 7450-ESS.
uRPF helps to mitigate problems that are caused by the introduction of malformed or forged
(spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP
source address. For example, a number of common types of denial-of-service (DoS) attacks,
including smurf and tribe flood network (TFN), can take advantage of forged or rapidly changing
source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet
service providers (ISPs) that provide public access, Unicast RPF deflects such attacks by
forwarding only packets that have source addresses that are valid and consistent with the IP
routing table. This action protects the network of the ISP, its customer, and the rest of the Internet.
uRPF is supported for both IPv4 and IPv6 on network and access. It is supported on any IP
interface, including base router, IES, VPRN and subscriber group interfaces.
In strict mode, uRPF checks whether the incoming packet has a source address that matches a
prefix in the routing table, and whether the interface expects to receive a packet with this source
address prefix.
In loose mode, uRPF checks whether the packet has a source address with a corresponding prefix
in the routing table; loose mode does not check whether the interface expects to receive a packet
with a specific source address prefix.
Loose uRPF check is supported for ECMP, IGP shortcuts and VPRN MP-BGP routes. Packets
coming from a source that matches any ECMP, IGP shortcut or VPRN MP-BGP route will pass the
uRPF check even when the uRPF mode is set to strict mode on the incoming interface.
In the case of ECMP, this allows a packet received on an IP interface configured in strict URPF
mode to be forwarded if the source address of the packet matches an ECMP route, even if the IP
interface is not a next-hop of the ECMP route and even if the interface is not a member of any
ECMP routes. The strict-no-ecmp uRPF mode may be configured on any interface which is known
to not be a next-hop of any ECMP route. When a packet is received on this interface and the source
address matches an ECMP route the packet is dropped by uRPF.
If there is a default route then this is included in the uRPF check, as follows:
If there is a default route:
•
•
Otherwise the uRPF check fails.
If the source IP address matches a discard/blackhole route, the packet is treated as if it failed uRPF
check.
7450 ESS Router Configuration Guide
A loose mode uRPF check always succeeds.
A strict mode uRPF check only succeeds if the SA matches any route (including the
default route) where the next-hop is on the incoming interface for the packet.
IP Router Configuration
Page 23