Table of Contents
Advertisement
1
URPF Configuration
When configuring URPF, go to these sections for information you are interested in:
URPF Overview
Configuring URPF
URPF Overview
What is URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks.
Attackers launch attacks by creating a series of packets with forged source addresses. For applications
using IP-address-based authentication, this type of attacks allows unauthorized users to access the
system in the name of authorized users, or even access the system as the administrator. Even if the
attackers cannot receive any response packets, the attacks are still disruptive to the attacked target.
Figure 1-1 Attack based on source address spoofing
As shown in
Figure
a forged source IP address of 2.2.2.1/8, and Switch B sends a packet to Switch C at 2.2.2.1/8 in
response to the request. Consequently, both Switch B and Switch C are attacked.
URPF can prevent source address spoofing attacks.
How URPF Works
URPF works as follows:
1)
First, URPF checks the source address validity, and then:
Discards packets with broadcast source addresses.
Discards packets with all-zero source addresses but non-broadcast destination addresses. (A
packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or
BOOT packet, and thus is not discarded.)
2)
If the source address of an incoming packet is found in the FIB table, URPF does a reverse route
lookup for routes to the source address of the packet. If at least one outgoing interface of such a
route matches the receiving interface, the packet passes the check. Otherwise, the packet is
rejected.
3)
If the source address of an incoming packet is not found in the FIB table, the packet is rejected.
Configuring URPF
Follow these steps to configure URPF:
1-1, Switch A originates a request to the server (Switch B) by sending a packet with
1-1
Advertisement
Chapters
Table of Contents
Troubleshooting
