Introduction:
When connected to public networks, one common method to initiate an attack is to utilize IP source address spoofing. In this method, the hacker attempts to send traffic into the network with a source address that is known or trusted by the target. If no protection exists, the organizational network will allow the traffic and potentially be open to a number of different attack types.
In the past, the solution for these problems was to build a set of access lists that would manually be able to block traffic that was coming in from an external interface but sourced from an IP address that existed within the internal network. When dealing with only a small network, this configuration is typically not that big of a problem, as the list of IP addresses to guard against can be rather short and relatively easy to maintain. However, when dealing with a larger organization, the maintenance needed to keep up these access lists (ACLs) with the ongoing allocation of addresses within the organization is time-absorbing. To deal with this in a way that solved these problems and required only a small amount of maintenance, the Unicast RPF feature was developed.
Similar to IPv4 in IPv6, unicast RPF help protect a router from Dos attacks from spoofed IPv6 host address by discarding IPv6 packets that lack a verifiable IPv6 source address.
URPF works in two modes strict mode and loose mode:
1) Strict Mode: When you configure IPv6 unicast RPF by issuing the "ipv6 verify unicast source reachable-via rx" command on an interface, the router performs a recursive lookup in the IPv6 routing table to verify that the source of the IP packet arrives on the same interface the router would use to reach that source address.If this check passes, the packet is allowed thorugh it; if not the router drops it.
2) Loose Mode: In this mode the router only verifies that a source IPv6 address exists in the routing table, and is enabled using the "ipv6 verify unicast source reachable-via any" command.
Configuration Example:
In the below topology hosts on network fc00:1:1:1::/64 connected to R2's interface fa0/0 and hosts on network Fc00:1:1:2::/64 connected to R3's LAN interface fa0/0 are accessing server 3001::1 connected to R1's interface fa2/0.
Topology Diagram:
Initial configuration:
R2: | R3: | R1: |
|---|---|---|
ipv6 unicast-routing ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Serial0/0 ipv6 address 2001::2/64 ipv6 ospf 100 area 0 clock rate 2000000 ! interface FastEthernet0/0 ipv6 address FC00:1:1:1::2/64 ipv6 ospf 100 area 0 | ipv6 unicast-routing ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0/0 ipv6 address 2002::2/64 ipv6 ospf 100 area 0 ! interface FastEthernet0/0 ipv6 address FC00:1:1:2::2/64 ipv6 ospf 100 area 0 | ipv6 unicast-routing ipv6 cef
interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial1/0 ipv6 address 2001::1/64 ipv6 ospf 100 area 0
! interface Serial1/1 ipv6 address 2002::1/64 ipv6 ospf 100 area 0 ! interface FastEthernet2/0 ipv6 address 3001::2/64 ipv6 ospf 100 area 0 |
We have configured OSPF between R2 and R1, R3 and R1 to propagate routes. The below routing table output of R1 shows routes are being propagated in the network.
R1#sh ipv6 route
IPv6 Routing Table - default - 9 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001::/64 [0/0]
via Serial1/0, directly connected
L 2001::1/128 [0/0]
via Serial1/0, receive
C 2002::/64 [0/0]
via Serial1/1, directly connected
L 2002::1/128 [0/0]
via Serial1/1, receive
C 3001::/64 [0/0]
via FastEthernet2/0, directly connected
L 3001::2/128 [0/0]
via FastEthernet2/0, receive
O FC00:1:1:1::/64 [110/65]
via FE80::3, Serial1/0
O FC00:1:1:2::/64 [110/65]
via FE80::2, Serial1/1
L FF00::/8 [0/0]
via Null0, receive
Strict mode configuration on router R1::
As shown in this example, the correct path from the fc00:1:1:1::/64 network to the 3001::/64 network is through R1's interface s1/0. If Unicast RPF (“Strict mode”) configured on R1’s s1/0 and s1/1 interfaces, traffic to and from the fc00:1:1:1::/64 and 3001::/64 network would pass fine, as long as it was received on the s1/0 interface. If an attacker attempted to send traffic to the 3001::/64 network through R3 using a source address fc00:1:1:1::1/64 without the Unicast RPF feature enabled, traffic could pass through and reach the destination. With the Unicast RPF feature enabled, the device (in this case R1) will check if the “best” return path is using the s1/1 interface where the traffic was received; when the “best” return path is shown to be through the s1/0 interface the Unicast RPF check will fail and the traffic will be dropped.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int s1/0
R1(config-if)#ipv6 verify unicast source reachable-via rx
R1(config-if)#int s1/1
R1(config-if)#ipv6 verify unicast source reachable-via rx
R1(config-if)#end
Verification:
From the below output you can see there are no packet drops are showing under URPF section.
R1#sh ipv6 int s1/1 | beg IPv6 verify source reachable-via rx
IPv6 verify source reachable-via rx
0 verification drop(s) (process), 0 (CEF)
0 suppressed verification drop(s) (process), 0 (CEF)
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Hosts use stateless autoconfig for addresses.
R1#sh ipv6 int s1/0 | beg IPv6 verify source reachable-via rx
IPv6 verify source reachable-via rx
0 verification drop(s) (process), 0 (CEF)
0 suppressed verification drop(s) (process), 0 (CEF)
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Hosts use stateless autoconfig for addresses.
Once an attacker attempted to send traffic to the 3001::/64 network from R3 through the s1/1 interface using a source address fc00:1:1:1::1/64, the Unicast RPF check will fail and the traffic will be dropped.
R1#sh ipv6 int s1/1 | beg IPv6 verify source reachable-via rx
IPv6 verify source reachable-via rx
0 verification drop(s) (process), 5 (CEF)
0 suppressed verification drop(s) (process), 0 (CEF)
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Hosts use stateless autoconfig for addresses.
R1#sh cef interface s1/1 internal | beg IPv6 unicast
IPv6 unicast RPF: via=rx acl=None, drop=5, sdrop=0
IPv6: enabled 1 unreachable TRUE redirect TRUE mtu 1500 flags 0x0
Switching mode is CEF
Belongs to global table IPv6:Default
Input features: Verify Unicast Reverse-Path
Loose mode configuration on R1 router:
Using the same above example, if the Unicast RPF (“Loose mode”) was configured, traffic would be allowed onto the 3001::/64 network as the fc00:1:1:1::1/64 network is in the CEF FIB as a reachable network and the source interface would not be checked. But if source IP address does not exist in the CEF FIB (Routing Table), URPF drops this traffic.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int s1/0
R1(config-if)#ipv6 verify unicast source reachable-via any
R1(config-if)#int s1/1
R1(config-if)#ipv6 verify unicast source reachable-via any
R1(config-if)#end
Verification:
We are clearing the interface counter so that there will no packet drops are shows under URPF section.
R1#clear counters
Clear "show interface" counters on all interfaces [confirm]
R1#
*Jan 24 00:20:05.687: %CLEAR-5-COUNTERS: Clear counter on all interfaces by console
R1#sh ipv6 int s1/1 | beg IPv6 verify source reachable-via any
IPv6 verify source reachable-via any
0 verification drop(s) (process), 0 (CEF)
0 suppressed verification drop(s) (process), 0 (CEF)
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Hosts use stateless autoconfig for addresses.
R1#sh ipv6 int s1/0 | beg IPv6 verify source reachable-via any
IPv6 verify source reachable-via any
0 verification drop(s) (process), 0 (CEF)
0 suppressed verification drop(s) (process), 0 (CEF)
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Hosts use stateless autoconfig for addresses.
Once an attacker attempted to send traffic to the 3001::/64 network from R3 through the s1/1 interface using a source address fc00:1:1:1::1/64, the traffic would be allowed and the source interface would not be checked..
R1#sh ipv6 int s1/1 | beg IPv6 verify source reachable-via any
IPv6 verify source reachable-via any
0 verification drop(s) (process), 0 (CEF)
0 suppressed verification drop(s) (process), 5 (CEF)
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Hosts use stateless autoconfig for addresses.
R1#sh cef interface s1/1 internal | beg IPv6 unicast
IPv6 unicast RPF: via=any acl=None, drop=0, sdrop=5
IPv6: enabled 1 unreachable TRUE redirect TRUE mtu 1500 flags 0x0
Switching mode is CEF
Belongs to global table IPv6:Default
Input features: Verify Unicast Reverse-Path
Optionally you can also use access-list using “ipv6 verify unicast source reachable-via any "Access-list_name" command for loose mode and “ipv6 verify unicast source reachable-via rx "Access-list_name" command for strict mode.
When an access list is specified, further customization is possible; access list permit statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check.
There are two other options there “allow-default” which allows the default router to be used when verifying source addresses, and “allow-self-ping” which allows the router to ping itself, although allowing self-ping opens the router up to a DoS vulnerability.
To know on how to configure URPF On Nexus 7K platform please go through below document
