Configuring Unicast Rpf; Information About Unicast Rpf - Cisco Nexus 3600 NX-OS Security Configuration Manual

Table of Contents

Configuring Unicast RPF

This chapter contains the following sections:

•

The Unicast RPF feature reduces problems that are caused by the introduction of malformed or forged (spoofed)

IPv4 source addresses into a network by discarding IPv4 packets that lack a verifiable IP source address. For

example, a number of common types of Denial-of-Service (DoS) attacks, including Smurf and Tribal Flood

Network (TFN) attacks, can take advantage of forged or rapidly changing source IPv4 or IPv6 addresses to

allow attackers to thwart efforts to locate or filter the attacks. Unicast RPF deflects attacks by forwarding only

the packets that have source addresses that are valid and consistent with the IP routing table.

When you enable Unicast RPF on an interface, the examines all ingress packets received on that interface to

ensure that the source address and source interface appear in the routing table and match the interface on

which the packet was received. This examination of source addresses relies on the Forwarding Information

Base (FIB).

Unicast RPF verifies that any packet received at a interface arrives on the best return path (return route) to

the source of the packet by doing a reverse lookup in the FIB. If the packet was received from one of the best

reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface

from which the packet was received, the source address might have been modified by the attacker. If Unicast

RPF does not find a reverse path for the packet, the packet is dropped.

C H A P T E R

Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x

101

Table of Contents

Show Quick Links

Table of Contents