URPF
Unicast Reverse Path Forwarding
As we have discussed in PBR, whenever a router gets a packet it always look only for the destination IP in Routing Table, and find the best exit interface to route the packet, it means that a Router never checks about the source from where it is reachable, Router never take care about the source reachability.
Using URPF we can make a Router aware to check source address reachability before checking the destination IP in the routing table to find the best path, so once we enable this feature it first checks Source address reachability and if find a valid route then Router check for destination information.
URPF also prevents asymmetric routing and it is also a Security feature that prevents spoofing attacks.
Spoofing Attack:- as we know router never check source address in IP packet so anyone can easily alter a packet or can spoof the user ip address and can send a packet to any destination, so if we have any security firewall in transit so it will simply allow the packet because it will find the infra IP address in that packet.
But when we enable URPF on a router and any anonymous user spoof the IP address and send packets to the network so router check the reverse entry first to verify that source is reachable via the same interface or not on which packet was received and the packet will be dropped if router find an incorrect combination so this is how a router prevents the spoofing attack
URPF has two modes:
A. Loose Mode: the source should be reachable via any interface
B. Strict Mode: the source should be reachable via the same interface on which the packet was received
So Let’s do LAB and see how Loose mode and Strict mode will work in a network and the configuration part also.
Loose mode:
In Loose mode URPF, the router will check, do I have a reverse path to reach the source or not if the router finds the entry it will look for the destination in the Routing table if not it will drop the packet without checking the destination
While checking the reverse-path it never check on which interface router is getting the packet, due to this router can perform asymmetric routing.
So in our case, we will try to check reachability from Router-R1 to Router-R4 Loopback address (4.4.4.4) using Source (1.1.1.1), we will configure a static route to reach 4.4.4.4 on all the routers but will not add a static route to reach 1.1.1.1 and will see the Router-R4 will get the traffic or not.
From R1 we can see no successful reachability to 4.4.4.4 using source 1.1.1.1, and on Router-R4 we can see that router is getting ICMP packets, so here transit router’s do not have a valid path to reach the source but still destination is getting all the data, so just because if this behavior router’s are utilizing unwanted link bandwidth, link utilization will be on all the links but at last data is dropped. We can prevent this by applying Loose Mode URPF.
So now let’s enable URPF on Router-R2 and will see the output on Router-R1 & Router-R4 and also will see the URPF output on Router-R2
Ø R2(config)#interface fastEthernet 0/0
Ø R2(config-if)#ip verify unicast source reachable-via any
Ø R2(config-if)#exit
So here, after enabling Loose Mode URPF on Router R2 we can see on Router-R1 traffic is not successfully reachable, Router-R4 is not getting any single packet and in the output of Router-R2 we can see 5 verification Drops, so here Router-R2 is checking the source first and did not find its entry in routing table so it is dropping all the packets.
In Loose mode URPF when we use ANY keyword to enable this feature, the router check for a specific route in the Routing Table to verify source reachability, if the router has a default route to reach the source so the router will not be able to use it.
So whenever we use a link with ISP and have a default route to reach ISP and on the same interface we are enabling URPF loose mode so we need to allow a router to check the default route also to check the source reachability, by default in Loose mode URPF router does not check Default route.
Let’s check it
1. we will configure a default route on Router-R2 towards Router-1 to make 1.1.1.1 reachable via the Default route
2. we will try to reach 4.4.4.4 from Router-R1 using source 1.1.1.1
3. we will check the output
R2(config)#ip route 0.0.0.0 0.0.0.0 12.0.0.01
So here after Putting a default route on Router-R2 towards Router-1 to make 1.1.1.1 reachable, Router-R4 is not getting any single packet and on Router-R2 we see more verification drops, so here in Loose mode using ANY keyword we see that a router never look for the default route, but we can allow a router to check the default route by using allow-default keyword in Loose mode URPF
Let’s enable this allow-default
Ø R2(config-if)#interface fastEthernet 0/0
Ø R2(config-if)#ip verify unicast source reachable-via any allow-default
Ø R2(config-if)#exit
Now after using allow-default Router-R1 is able to reach successfully 4.4.4.4 using source 1.1.1.1
So as we know in Loose mode router just check the reachability, it never check from which interface that source is reachable so because of this a router can perform Asymmetric Routing, but that issue is also resolved in Strict Mode URPF
Strict Mode:
In Strict Mode URPF, whenever a router gets a packet it check the source address reachability and that source should be reachable via the same interface on which the packet was received
So it has 2 checks
a. The source should be reachable
b. It should be reachable via the same interface on which the packet was received
So now in our case first we will check the reachability from Router-R1 to Router-R4 and will do routing like the traffic will go via R1àR2àR3àR4 and the reverse path will be via R4àR2àR1
So here we are creating a network where Forward and Reverse path will be different and in this case we use Strict mode URPF
So here we can see the forward and the Reverse path is different, now we will apply Strict mode URPF on Router-R4 interface FastEthernet 0/0 and then will check the output
Ø R4(config)#interface fastEthernet 0/0
Ø R4(config-if)#ip verify unicast source reachable-via RX
Ø R4(config-if)#exit
Now we will do a ping check from Router-R1 to loopback address 4.4.4.4 of Router-R4 and will see the output on Router-R4
Now we can see on Router-R4 Strict Mode is enabled and has dropped 5 packets, that’s why the ping on Router-R1 is not successful
In Strict mode URPF also we can allow a router to check the default route using the allow-default keyword just like we did in loose mode URPF
CNC | Core Networking Classes
www.corenetworkingclasses.com