Configuring Ipv6 Urpf; Overview; Ipv6 Urpf Check Modes; Features - HP VSR1000 Security Configuration Manual
Virtual services router
Hide thumbs
Also See for VSR1000:
- Configuration manual (463 pages) ,
- High availability configuration manual (91 pages) ,
- Layer 2 - wan access command reference (50 pages)
Table of Contents
Advertisement
Configuring IPv6 uRPF
Overview
Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such
as DoS and DDoS attacks.
Attackers send packets with a forged source address to access a system that uses IP-based authentication,
in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot
receive any response packets, the attacks are still disruptive to the attacked target.
Figure 98 Source address spoofing attack
As shown in
IPv6 address 2000::1 at a high rate. Router B sends response packets to IPv6 address 2000::1 (Router
C). Consequently, both Router B and Router C are attacked. If the administrator disconnects Router C by
mistake, the network service is interrupted.
Attackers can also send packets with different forged source addresses or attack multiple servers
simultaneously to block connections or even break down the network.
IPv6 uRPF can prevent these source address spoofing attacks by checking whether an interface that
receives a packet is the output interface of the FIB entry that matches the source address of the packet. If
not, uRPF considers it a spoofing attack and discards the packet.
IPv6 uRPF check modes
IPv6 uRPF supports strict and loose check modes.
Strict IPv6 uRPF check—To pass strict IPv6 uRPF check, the source address of a packet and the
•
receiving interface must match the destination address and output interface of an IPv6 FIB entry. In
some scenarios (for example, asymmetrical routing), strict IPv6 uRPF might discard valid packets.
Strict IPv6 uRPF is often deployed between a PE and a CE.
•
Loose IPv6 uRPF check—To pass loose IPv6 uRPF check, the source address of a packet must match
the destination address of an IPv6 FIB entry. Loose IPv6 uRPF can avoid discarding valid packets,
but might let go attack packets. Loose IPv6 uRPF is often deployed between ISPs, especially in
asymmetrical routing.
Features
Default route—When a default route exists, all packets that fail to match a specific IPv6 FIB entry match
the default route during IPv6 uRPF check and thus are permitted to pass. If you allow using the default
route (by using allow-default-route), IPv6 uRPF permits packets that only match the default route. By
Figure
98, an attacker on Router A sends the server (Router B) requests with a forged source
329
- Quick Links:
- Configuring the Device as an Ssh...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
