Configuring Urpf; Overview; Urpf Features; Urpf Work Flow - HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 layer 2 - wan access configuration manual (420 pages)
Table of Contents
Advertisement
Configuring URPF
Overview
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing
attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
Attackers send packets with a forged source address to access a system that uses IP-based
authentication, in the name of authorized users or even the administrator. Even if the attackers
cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 146 Source address spoofing attack
As shown in
source IP address 2.2.2.1, and Router B sends response packets to IP address 2.2.2.1 (Router C).
Consequently, both Router B and Router C are attacked. URPF can prevent such attacks.
The term router in this document refers to both routers and Layer 3 switches.
Configuring URPF
URPF supports two check modes:
•
Strict URPF—To pass strict URPF check, the source address of a packet and the receiving
interface must match the destination address and output interface of a forwarding information
base (FIB) entry. In some scenarios such as asymmetrical routing, strict URPF might discard
valid packets. Strict URPF is often deployed between a provider edge (PE) device and a
customer edge (CE) device.
•
Loose URPF—To pass loose URPF check, the source address of a packet must match the
destination address of a FIB entry. Loose URPF can avoid discarding valid packets, but might
let go attack packets. Loose URPF is often deployed between ISPs, especially in asymmetrical
routing.
URPF features
•
Default route—When a default route exists, all packets that fail to match a specific FIB entry
can match the default route during URPF check and are permitted to pass. To avoid this
situation, you can disable URPF from using any default route to discard such packets. By
default, URPF discards packets that can only match a default route.
•
ACL—To identify specific packets as valid packets, you can use an ACL to match these packets.
Even if the packets do not pass uRPF check, they are still forwarded correctly.
URPF work flow
URPF does not check multicast packets.
Figure 147
shows how URPF works.
Figure
146, an attacker on Router A sends the server (Router B) requests with a forged
448
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?