URPF

                                      URPF                                         

Unicast Reverse Path Forwarding

 

As we have discussed in PBR, whenever a router gets a packet it always look only for the destination IP in Routing Table, and find the best exit interface to route the packet, it means that a Router never checks about the source from where it is reachable, Router never take care about the source reachability.

Using URPF we can make a Router aware to check source address reachability before checking the destination IP in the routing table to find the best path, so once we enable this feature it first checks Source address reachability and if find a valid route then Router check for destination information.

URPF also prevents asymmetric routing and it is also a Security feature that prevents spoofing attacks.

Spoofing Attack:- as we know router never check source address in IP packet so anyone can easily alter a packet or can spoof the user ip address and can send a packet to any destination, so if we have any security firewall in transit so it will simply allow the packet because it will find the infra IP address in that packet.

But when we enable URPF on a router and any anonymous user spoof the IP address and send packets to the network so router check the reverse entry first to verify that source is reachable via the same interface or not on which packet was received and the packet will be dropped if router find an incorrect combination so this is how a router prevents the spoofing attack

URPF has two modes:

                 A.  Loose Mode: the source should be reachable via any interface

                 B.   Strict Mode: the source should be reachable via the same interface on which the packet was received

 

So Let’s do LAB and see how Loose mode and Strict mode will work in a network and the configuration part also.

Loose mode:

          In Loose mode URPF, the router will check, do I have a reverse path to reach the source or not if the router finds the entry it will look for the destination in the Routing table if not it will drop the packet without checking the destination

While checking the reverse-path it never check on which interface router is getting the packet, due to this router can perform asymmetric routing.

So in our case, we will try to check reachability from Router-R1 to Router-R4 Loopback address (4.4.4.4) using Source (1.1.1.1), we will configure a static route to reach 4.4.4.4 on all the routers but will not add a static route to reach 1.1.1.1 and will see the Router-R4 will get the traffic or not.

 

From R1 we can see no successful reachability to 4.4.4.4 using source 1.1.1.1, and on Router-R4 we can see that router is getting ICMP packets, so here transit router’s do not have a valid path to reach the source but still destination is getting all the data, so just because if this behavior router’s are utilizing unwanted link bandwidth, link utilization will be on all the links but at last data is dropped. We can prevent this by applying Loose Mode URPF.

So now let’s enable URPF on Router-R2 and will see the output on Router-R1 & Router-R4 and also will see the URPF output on Router-R2

Ø R2(config)#interface fastEthernet 0/0

Ø R2(config-if)#ip verify unicast  source reachable-via any

Ø R2(config-if)#exit