Solved: ip verify unicast source reachable-via effective on border routers?

tleroy · ‎05-10-2008

ip verify unicast source reachable-via uses the router's routing table to detect and prevent spoofing. On a border router with very few routes, and a static default route to the ISP's router, would verify unicast source reachable-via be effective? It seems like it would only stop a spoofed packet with the source and destination of the WAN interface, or the with an address matching the subnet between the border router and the firewall. All other packets would be allowed based on the 0.0.0.0 0.0.0.0 x.x.x.x (x being the ISP's router) default route, wouldn't they?

Perhaps this questions should be in the Security/General forum? Would a moderator be able to move it there for me? I prefer not to double-post.

Thanks!

Joseph W. Doherty · ‎05-11-2008

Have you seen?

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

http://www.cisco.com/en/US/docs/ios/11_1/feature/guide/uni_rpf.html

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/rpf_plus.html

View solution in original post

tleroy · ‎05-11-2008

It seems that I'm misunderstanding something about how ip verify unicast sourc reachable-via, or by its old name, ip verify unicast reverse-path works. It's designed for use on border routers, so the default route problem doesn't make sense. Does anyone know of any Cisco white papers or references on Cisco's site that explain it clearly?

Joseph W. Doherty · ‎05-11-2008

Have you seen?

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

http://www.cisco.com/en/US/docs/ios/11_1/feature/guide/uni_rpf.html

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/rpf_plus.html

tleroy · ‎05-12-2008

Those links are very helpful, thanks Joseph.