{"id":87,"date":"2015-04-28T21:03:23","date_gmt":"2015-04-28T21:03:23","guid":{"rendered":"http:\/\/www.balajibandi.com\/blog\/?p=87"},"modified":"2024-10-18T10:50:36","modified_gmt":"2024-10-18T09:50:36","slug":"unicast-reverse-path-forwarding-urpf","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=87","title":{"rendered":"Unicast Reverse Path Forwarding (uRPF)"},"content":{"rendered":"<h1><span style=\"text-decoration: underline; color: #3366ff;\"><strong>Unicast Reverse Path Forwarding (uRPF)<\/strong><\/span><\/h1>\n<p>Normally when your router receives unicast IP packets it only cares about one thing:<\/p>\n<ul>\n<li><em>What is the destination IP address of this IP packet so I can forward it?<\/em><\/li>\n<\/ul>\n<p>If the IP packet has to be routed it willl check the routing table for the destination IP address, select the correct interface and it will be forwarded. Your router really doesn\u2019t care about source IP addresses as it\u2019s not important for forwarding decisions.<\/p>\n<p>Because the router doesn\u2019t check the source IP address it is possible for attackers to spoof the source IP address and send packets that normally might have been dropped by the firewall or an access-list.<\/p>\n<div class=\"woo-sc-box note\">When you use multicast, checking the source of multicast IP packets is a very important topic. Right now I\u2019m only talking about unicast IP packets.<\/div>\n<p>uRPF is a security feature that prevents these spoofing attacks. Whenever your router receives an IP packet it will check if it has a <strong>matching entry in the routing table for the source IP address<\/strong>. If it doesn\u2019t match, the packet will be discarded. uRPF has two modes:<\/p>\n<ul>\n<li><strong>Strict mode<\/strong><\/li>\n<li><strong>Loose mode<\/strong><\/li>\n<\/ul>\n<p>Let\u2019s take a look at the difference between both modes and how to configure them.<\/p>\n<h2>Strict Mode<\/h2>\n<p>Strict mode means that that router will perform <strong>two checks<\/strong> for all incoming packets on a certain interface:<\/p>\n<ul>\n<li>Do I have a matching entry for the source in the <strong>routing table<\/strong>?<\/li>\n<li>Do I use the <strong>same interface to reach this source<\/strong> as where I received this packet on?<\/li>\n<\/ul>\n<p>When the incoming IP packets <strong>passes both checks<\/strong>, it will be permitted. Otherwise it will be dropped. This is perfectly fine for\u00a0 IGP routing protocols since they use the shortest path to the source of IP packets. The interface that you use to reach the source will be the same as the interface where you will receive the packets on. Here\u2019s an illustration to demonstrate this:<\/p>\n<p><span class=\"removed_link\" title=\"http:\/\/networklessons.com\/wp-content\/uploads\/2013\/05\/urpf-strict-example.png\"><\/span><\/p>\n<p>R1 has installed network 1.1.1.0 \/24 in its routing table and in order to reach this network it will use the FastEthernet 0\/0 interface. Suddenly this router receives an IP packet with source IP address 1.1.1.1 on both of its interfaces. The one it receives on the FastEthernet 0\/0 will be accepted but the packet on the FastEthernet 0\/1 interface will be dropped because this is not the interface we use to reach this source.<\/p>\n<p>Let\u2019s configure the example above to see how it works. I\u2019ll use the following topology:<\/p>\n<p><span class=\"removed_link\" title=\"http:\/\/networklessons.com\/wp-content\/uploads\/2013\/05\/urpf-demo-topology.png\"><\/span><\/p>\n<p>We will configure R1 with a static route so it can reach the loopback0 interface of R2:<\/p>\n<pre><code>R1(config)#<strong>ip route 2.2.2.2 255.255.255.255 192.168.12.2<\/strong><\/code><\/pre>\n<p>This is what the routing table looks like now:<\/p>\n<pre><code>R1#<strong>show ip route<\/strong>   \r\n\r\nC    192.168.12.0\/24 is directly connected, FastEthernet0\/0\r\nC    192.168.13.0\/24 is directly connected, FastEthernet0\/1\r\n     2.0.0.0\/32 is subnetted, 1 subnets\r\nS       2.2.2.2 [1\/0] via 192.168.12.2<\/code><\/pre>\n<p>Now we\u2019ll configure uRPF strict mode on both interfaces:<\/p>\n<pre><code>R1(config)#<strong>interface fastEthernet 0\/0<\/strong>\r\nR1(config-if)#<strong>ip verify unicast source reachable-via rx<\/strong>\r\n\r\nR1(config)#<strong>interface fastEthernet 0\/1<\/strong>\r\nR1(config-if)#<strong>ip verify unicast source reachable-via rx<\/strong><\/code><\/pre>\n<p>You can verify that it has been enabled on the interface like this:<\/p>\n<pre><code>R1#<strong>show ip interface fastEthernet 0\/0 | include verify<\/strong>\r\n  IP verify source reachable-via RX\r\n\r\nR1#<strong>show ip interface fastEthernet 0\/1 | include verify<\/strong>\r\n  IP verify source reachable-via RX<\/code><\/pre>\n<p>To test uRPF we\u2019ll send some pings from R2 first, these should be accepted:<\/p>\n<pre><code>R2#<strong>ping 192.168.12.1 source loopback 0<\/strong>\r\n\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:\r\nPacket sent with a source address of 2.2.2.2 \r\n!!!!!\r\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 4\/4\/8 ms<\/code><\/pre>\n<p>As expected this ping works. Now I\u2019ll create a new loopback interface on R3 with the 2.2.2.2 IP address on it so that we can spoof this IP address:<\/p>\n<pre><code>R3(config)#<strong>interface loopback 0<\/strong>\r\nR3(config-if)#<strong>ip address 2.2.2.2 255.255.255.255<\/strong><\/code><\/pre>\n<p>Now we\u2019ll send some pings from this loopback:<\/p>\n<pre><code>R3#<strong>ping 192.168.13.1 source loopback 0<\/strong>\r\n\r\nType escape sequence to abort.\r\nSending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:\r\nPacket sent with a source address of 2.2.2.2 \r\n.....\r\nSuccess rate is 0 percent (0\/5)<\/code><\/pre>\n<p>The packets will make it to R1 but they will be dropped there, we can verify this as following:<\/p>\n<pre><code>R1#<strong>show ip interface fastEthernet 0\/0 | include drops<\/strong>\r\n  0 verification drops\r\n  0 suppressed verification drops<\/code><\/pre>\n<pre><code>R1#<strong>show ip interface fastEthernet 0\/1 | include drops<\/strong>\r\n  5 verification drops\r\n  0 suppressed verification drops<\/code><\/pre>\n<p>Above you see that the spoofed packets on the FastEthernet 0\/1 interface have been dropped. Now let\u2019s take a look at loose mode\u2026<\/p>\n<h2>Loose Mode<\/h2>\n<p>Loose mode means that the router will perform only a <strong>single check<\/strong> when it receives an IP packet on an interface:<\/p>\n<ul>\n<li>Do I have a matching entry for the source in the <strong>routing table<\/strong>?<\/li>\n<\/ul>\n<p>When it passed this check, the packet is permitted. It doesn\u2019t matter if we use this interface to reach the source or not. Loose mode is useful when you are connected to more than one ISP and you use<strong>asymmetric routing<\/strong>.The only exception is the null0 interface, if you have any sources with the null0 interface as the outgoing interface then the packets will be dropped. Take a look at this illustration:<\/p>\n<p><span class=\"removed_link\" title=\"http:\/\/networklessons.com\/wp-content\/uploads\/2013\/05\/urpf-loose-example.png\"><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unicast Reverse Path Forwarding (uRPF) Normally when your router receives unicast IP packets it only cares about one thing: What is the destination IP address of this IP packet so I can forward it? If the IP packet has to be routed it willl check the routing table for the destination IP address, select the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,2],"tags":[],"class_list":["post-87","post","type-post","status-publish","format-standard","hentry","category-ccie-rns","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/87","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=87"}],"version-history":[{"count":8,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/87\/revisions"}],"predecessor-version":[{"id":2344,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/87\/revisions\/2344"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=87"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=87"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=87"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}