Question on uRPF Functionality

Answered Question
Feb 28th, 2007

I have read the posts in this forum, however, still not clear to me-here's my question:

My understanding of uRPF is that it protects against spoofed/forged IP addresses. When a router receives an inbound spoofed packed it looks up CEF/FIB table and does a reverse map to see if the source IP would use the same interface that the packet arrived on. What I am not clear on is this: does this only apply to incoming spoofed IPs made to look like the internal LAN addresses ?

Let's say the internal LAN is 109.1.x.x and a spoofed address of 209.x.x.x arrives on the external interface and you have a default route to the internet. Doesn't the default route now validates this spoofed address, meaning that the best way to reach this IP is through the outside interface-eventhough it is a forged IP?

Could someone please clarify the functionality of uRPF in the above scenario because I have a hard time understanding which spoofed IP addresses uRPF applies to- the internal LAN IP or unknown IPs coming from the Internet.

thanks in advance.

I have this problem too.
0 votes
Correct Answer by swmorris about 9 years 7 months ago

In newer code (12.3T and later) you actually have specific parameters to deal with this problem.

On your command line, there's an option to "use-default" or if you leave that off, the behavior is to NOT use a default route.

Still when we think about what RPF checks do, that MAY not be a problem for you. If you have a link to the Internet, and someone spoofs an address over the internet, you honestly don't have a clue about that anyway. All you would know is whether they were trying to spoof something you knew internally or from a more specific route (which the route lookup would tell you anyway)!

HTH,

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
swmorris Thu, 03/01/2007 - 04:22

It is performed on all packets from any source coming in the interfaces that you have applied the "ip verify" command to.

The lookups for RPF check follow the same rules that the lookups for packet forwarding do. This means that while yes, a 0/0 route will certainly include your internal networks, this would still fail RPF because it is not the most specific entry.

The router is basically asking a question: "If I were to send a packet back to the source, is this an interface that I would use?" and if the answer would be no, then the packet is dropped.

HTH,

Scott

[email protected]

tony.ramsey Thu, 03/01/2007 - 17:05

Scott,

thanks. I understand your explanation to a certain point. If the router uses the same logic in RPF lookup as in packet forwarding, and you only have a default route pointing to the next hop or serial interface, how does RPF distinguish between legitimate traffic from unknown addresses and malicious traffic from a spoofed IP (using some legitimate address.)

TIA

Correct Answer
swmorris Sat, 03/03/2007 - 18:20

In newer code (12.3T and later) you actually have specific parameters to deal with this problem.

On your command line, there's an option to "use-default" or if you leave that off, the behavior is to NOT use a default route.

Still when we think about what RPF checks do, that MAY not be a problem for you. If you have a link to the Internet, and someone spoofs an address over the internet, you honestly don't have a clue about that anyway. All you would know is whether they were trying to spoof something you knew internally or from a more specific route (which the route lookup would tell you anyway)!

HTH,

Scott

tony.ramsey Mon, 03/05/2007 - 06:47

Scott,

I did read the link that you posted and after reading other articles, it is clear now that RPF checking can be used as an alternative to RFC 2827 filtering as well, the last paragraph of your comment made brought things to a better focus for me.

Thank you!!

Actions

This Discussion