Unicast Reverse Path Forwarding
Páginas: 26 (6303 palabras)
Publicado: 26 de mayo de 2012
Unicast Reverse Path Forwarding
This feature module describes the Unicast Reverse Path Forwarding (RPF) feature, which helps to mitigate problems caused by malformed or forged IP source addresses passing through a router. This document includes information on the benefits of the new feature, supported platforms, related documents, and so on. This document includes the following sections:
• • •• • • • •
Feature Overview, page 1 Supported Platforms, page 11 Supported Standards, MIBs, and RFCs, page 11 Prerequisites, page 12 Configuration Tasks, page 12 Monitoring and Maintaining Unicast RPF, page 14 Configuration Examples, page 15 Command Reference, page 17
Feature Overview
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged(spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For example, a number of common types of denial-of-service (DoS) attacks, including Smurf and Tribe Flood Network (TFN), can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers(ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table. This action protects the network of the ISP, its customer, and the rest of the Internet.
How It Works
When Unicast RPF is enabled on an interface, the router examines all packets received as input on that interfaceto make sure that the source address and source interface appear in the routing table and match the interface on which the packet was received. This “look backwards” ability is available only when Cisco express forwarding (CEF) is enabled on the router, because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation.
Cisco IOSRelease 11.1(17)CC
1
Unicast Reverse Path Forwarding Feature Overview
Note
Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection. Unicast RPF checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. Unicast RPF does this by doing a reverse lookupin the CEF table. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface from which the packet was received, it might mean that the source address was modified or forged. If Unicast RPF does not find a reverse path for the packet, the packet is dropped.
Note
With Unicast RPF, allequal-cost “best” return paths are considered valid. This means that Unicast RPF works in cases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where EIGRP variants are being used and unequal candidate paths back to the source IP addressexist. When a packet is received at the interface where Unicast RPF and access control lists (ACLs) have been configured, the following actions occur:
1. 2. 3. 4. 5.
Input ACLs configured on the inbound interface are checked. Unicast RPF checks to see if the packet has arrived on one of the best return paths to the source, which it does by doing a reverse lookup in the FIB table. CEF table (FIB)lookup is carried out for packet forwarding. Output ACLs are checked on the outbound interface. The packet is forwarded.
Figure 1 illustrates how Unicast RPF and CEF work together to validate IP source addresses by verifying packet return paths. In this example, a customer has sent a packet having a source address of 192.168.1.1 from interface FDDI 2/0/0. Unicast RPF checks the FIB to see if...
This feature module describes the Unicast Reverse Path Forwarding (RPF) feature, which helps to mitigate problems caused by malformed or forged IP source addresses passing through a router. This document includes information on the benefits of the new feature, supported platforms, related documents, and so on. This document includes the following sections:
• • •• • • • •
Feature Overview, page 1 Supported Platforms, page 11 Supported Standards, MIBs, and RFCs, page 11 Prerequisites, page 12 Configuration Tasks, page 12 Monitoring and Maintaining Unicast RPF, page 14 Configuration Examples, page 15 Command Reference, page 17
Feature Overview
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged(spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For example, a number of common types of denial-of-service (DoS) attacks, including Smurf and Tribe Flood Network (TFN), can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers(ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table. This action protects the network of the ISP, its customer, and the rest of the Internet.
How It Works
When Unicast RPF is enabled on an interface, the router examines all packets received as input on that interfaceto make sure that the source address and source interface appear in the routing table and match the interface on which the packet was received. This “look backwards” ability is available only when Cisco express forwarding (CEF) is enabled on the router, because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation.
Cisco IOSRelease 11.1(17)CC
1
Unicast Reverse Path Forwarding Feature Overview
Note
Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection. Unicast RPF checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. Unicast RPF does this by doing a reverse lookupin the CEF table. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface from which the packet was received, it might mean that the source address was modified or forged. If Unicast RPF does not find a reverse path for the packet, the packet is dropped.
Note
With Unicast RPF, allequal-cost “best” return paths are considered valid. This means that Unicast RPF works in cases where multiple return paths exist, provided that each path is equal to the others in terms of the routing cost (number of hops, weights, and so on) and as long as the route is in the FIB. Unicast RPF also functions where EIGRP variants are being used and unequal candidate paths back to the source IP addressexist. When a packet is received at the interface where Unicast RPF and access control lists (ACLs) have been configured, the following actions occur:
1. 2. 3. 4. 5.
Input ACLs configured on the inbound interface are checked. Unicast RPF checks to see if the packet has arrived on one of the best return paths to the source, which it does by doing a reverse lookup in the FIB table. CEF table (FIB)lookup is carried out for packet forwarding. Output ACLs are checked on the outbound interface. The packet is forwarded.
Figure 1 illustrates how Unicast RPF and CEF work together to validate IP source addresses by verifying packet return paths. In this example, a customer has sent a packet having a source address of 192.168.1.1 from interface FDDI 2/0/0. Unicast RPF checks the FIB to see if...
Leer documento completo
Regístrate para leer el documento completo.