Reverse path filtering
From Wikipedia, the free encyclopedia
Reverse path filtering (RPF) is a feature provided by most modern Internet Protocol routers, which may be used to reduce the risk of customers attacking other Internet hosts.
One of the problems network service providers face today is customers generating packets with fake source IP addresses, a technique known as spoofing. This is often done in order to initiate a denial-of-service attack against another internet host or network.
Since the source IP addresses of the incoming packets change, often randomly, and for every packet, the target of such an attack can't easily filter out the attacking packets. However, the source of the attack, i.e. the network service provider of the attacking host, has a simple way to stop such packets from ever leaving its network. A router always knows which networks are reachable via any of its interfaces. By checking the source IP address of all packets coming in via an interface against the networks known to be behind that interface, the router can simply drop packets that aren't supposed to come from there.
Hence, reverse path filtering filters packets according to the "reverse path" to their source address. If the path back to the source address does not match the path the packet is coming from, it is dropped.
Contents |
[edit] Implementations
Checking the reverse path is generally not enabled by default. If required, it should be enabled either globally, or per interface. Some implementations offer two different RPF modes: loose and strict. Strict mode is as described above, while loose mode will accept a packet if its source IP address is in the routing table, though not necessarily behind the interface the packet comes from.
Strict RPF mode is suitable for edge devices and routers running simple, non-multihomed networks. Loose RPF mode is more suited to core routers in large networks.
[edit] Cisco
Cisco IOS calls this feature unicast Reverse Path Forwarding (uRPF). It can be enabled per interface, and requires Cisco Express Forwarding. The following example turns on uRPF on an interface:
Router(config)#interface FastEthernet1/0 Router(config-if)#ip verify unicast reverse-path
However, IOS online help calls "reverse-path" an "old command format." The newer syntax is:
Router(config)#interface FastEthernet1/0 Router(config-if)#ip verify unicast source reachable-via [any|rx] [allow-default|allow-self-ping] ACL#
[edit] Linux
The following shell command enables reverse path filtering on an interface:
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
Instead of eth0, the keyword all may be used, to enable RPF on all interfaces.
[edit] Juniper
The following JunOS command may be used to enable RPF on an interface:
edit interfaces so-0/1/0 family inet rpf-check
Likewise, the following JUNOSe configuration command may be used to enable RPF on an interface:
ERX(config)# interface gigabitEthernet 1/0 ERX(config-if)# ip sa-validate
[edit] OpenBSD
The following pf command enables reverse path filtering (urpf) (since OpenBSD 3.9-current):
block in from urpf-failed to any
[edit] See also
- Unicast reverse path filtering should not be confused with multicast reverse path forwarding
- Strict mode uRPF
- Loose mode uRPF
- VRF mode uRPF
- feasible-path strict uRPF
