Urpf Overview; Basic Concepts; Processing Flow - 3Com MSR 50 Series Configuration Manual

44

URPF Overview

Basic Concepts

Processing Flow

URPF C
ONFIGURATION
When configuring URPF, go to these sections for information you are interested in:
"URPF Overview" on page 651
■
"Configuring URPF" on page 652
■
Unicast reverse path forwarding (URPF) protects a network against attacks based
on source address spoofing.
Attackers launch attacks by creating a series of packets with forged source
addresses. For applications using IP-address-based authentication, this type of
attacks allows unauthorized users to access the system in the name of authorized
users, or even access the system as the administrator. Even if the attackers cannot
receive any response packets, the attacks are still disruptive to the attacked target.
Figure 193 Source address spoofing attack
1.1.1.8/8
Source IP address : 2.2.2.1/8
Router A
As shown in Figure
sending a packet with a forged source IP address 2.2.2.1/8, and Router B sends a
packet to the real IP address 2.2.2.1/8 in response to the request. This type of
illegal packets will attack Router B and Router C.
URPF can prevent source address spoofing attacks.
URPF provides two types of check in common use: strict and loose. In addition, it
supports ACL check and default route check.
The URPF processing flow is as follows:
1 If the source address of a packet is found in the FIB table:
In strict approach, URPF does a reverse lookup for the outgoing interfaces of
■
the packet. If at least one outgoing interface matches the incoming interface,
the packet passes the check. Otherwise, the packet is dropped. (Reverse lookup
means looking up the outgoing interfaces of the packet with the source IP
address being the destination IP address.)
Router B
193, Router A originates a request to the server (Router B) by
2.2.2.1/8
Router C