Which of these statements accurately identifies how Unicast Reverse Path Forwarding can be
employed to prevent the use of malformed or forged IP sources addresses?
A.
It is applied only on the input interface of a router.
B.
It is applied only on the output interface of a router.
C.
It can be configured either on the input or output interface of a router.
D.
It cannot be configured on a router interface.
E.
It is configured under any routing protocol process.
Explanation:
Unicast Reverse Path Forwarding:
Is a small security feature, when configured on an interface, the router checks the incoming
packet’s source address with its routing table. If the incoming packet’s source is reachable via the
same interface it was received, the packet is allowed. URPF provides protection again spoofed
packets with unverifiable source.
http://www.cciecandidate.com/?p=494
Unicast RPF can be used in any “single-homed” environment where there is essentially only oneaccess point out of the network; that is, one upstream connection. Networks having one access
point offer the best example of symmetric routing, which means that the interface where a packet
enters the network is also the best return path to the source of the IP packet. Unicast RPF is best
used at the network perimeter for Internet, intranet, or extranet environments, or in ISP
environments for customer network terminations.
Feature Overview
The Unicast RPF feature helps to mitigate problems that are caused by the introduction of
malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that
lack a verifiable IP source address.
For example, a number of common types of denial-of-service (DoS) attacks, including Smurf and
Tribe Flood Network (TFN), can take advantage of forged or rapidly changing source IP addresses
to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers
(ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets
that have source addresses that are valid and consistent with the IP routing table. This action
protects the network of the ISP, its customer, and the rest of the Internet.
How It Works
When Unicast RPF is enabled on an interface, the router examines all packets received as input
on that interface to make sure that the source address and source interface appear in the routing
table and match the interface on which the packet was received. This “look backwards” ability is
available only when Cisco express forwarding (CEF) is enabled on the router, because the lookup
relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of
its operation.
Note Unicast RPF is an input function and is applied only on the input interface of a router at the
upstream end of a connection.http://www.cisco.com/en/US/docs/ios/11_1/feature/guide/uni_rpf.html