What is true about Unicast RPF in strict mode?

What is true about Unicast RPF in strict mode?

What is true about Unicast RPF in strict mode?

A.
It works well with a multihomed environment.

B.
It will inspect IP packets that are encapsulated in tunnels, such as GRE, LT2P, or PPTP.

C.
uRPF is performed within the CEF switching path.

D.
There might be a problem with DHCP as Unicast RPF is blocking packets with a 0.0.0.0 source
address.

Explanation:
Understanding uRPF – Unicast Reverse Path Forwarding
Spoofed packets are a big problem with on the Internet, they are commonly used in DNS
amplification attacks, and TCP SYN floods. Unfortunately there is no simple way to totally fix all
spoofed packets on the Internet but if service providers implement ingress filtering on their
network, it effectively stops such attacks with spoofed source addresses coming from their patch.
The process is actually standardised Best Practice in BCP 38 “Network Ingress Filtering” which all
service providers should implement if they have Internet facing services for good karma.
There are a number of ways of implementing ingress filtering, one of the technically simplest is to
create ACLs of your customers global address ranges and only allow packets sourced from those
ranges to leave your network. Configuration wise Unicast Reverse Path Forwarding (uRPF) is in
my opinion the simplest way of managing this and it has a couple of extra features.
uRPF checks incoming unicast packets and validates that a return path exists, there is not much
point in forwarding a packet if it doesnt know how to return it right?
There are 2 methods of implementation of uRPF strict and loose. Strict mode is where the source
of the packet is reachable via the interface that it came from, this is nice for extra security on the
edge of your network but not so good if you have multiple edges towards the Internet eg you peer
at multiple IXPs where you might expect asymmetric routing. In such cases loose mode is used
which checks that a return route exists in the routing table.
Configuration
The configuration is super simple, after CEF has been enabled just go to the interface you wish to
check inbound traffic and use the following command, with the “rx” option for strict mode or “any”
for loose mode.
Router(config-if)#ip verify unicast source reachable-via ?
Any Source is reachable via any interface
rx Source is reachable via interface on which packet was received

Verification
Obviously you can check the running config to see if its configured but if your a fan of using other
show commands its visible under the sh cef interface and sh ip interface as shown below;
Router#sh cef interface fastEthernet 0/0 | i RPF
IP unicast RPF check is enabled
Router# sh ip int fa0/0 | i verify
IP verify source reachable-via RX

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *