Friends who are studying the security direction of CCIE definitely have some understanding of URPF technology, so today we will explain the URPF technology.I. Introduction to URPF TechnologyGenerally, after receiving the data packet, the router obtains the destination IP address in the data packet, searches the local routing forwarding table for the destination IP address, and forwards the data packet if there is a corresponding forwarding entry; otherwise, discards the packet. . From this point of view, when the router forwards the message, it does not care about the source address of the packet. This gives the source address spoofing attack a chance.The source address spoofing attack constructs a series of packets with the spoofed source address and frequently accesses the device or host where the destination address resides. Even if the response packet cannot reach the attacker, the attacker will cause a certain degree of damage to the attacked object.The main function of unicast reverse path forwarding (URPF) is to prevent network attack behavior based on source address spoofing. After the URPF function is enabled on the interface of the router, when the interface receives the data packet, it checks the legality of the source address of the data packet. The forwarding entry of the address enters the packet forwarding process; otherwise, the packet is discarded.Second, the working mechanism of URPFThe URPF checks the legality of the source address of the packet into strict (strict) and loose (loose) types:Strict-type URPF: not only requires the router to forward the table, but also has a route to the source address of the packet. It also requires that the inbound interface of the packet is the same as the outgoing interface to the source address. The message is considered to be a legitimate message. In some special cases (such as the existence of asymmetric paths), strict type checking will incorrectly discard non-attack messages.
Loose URPF: Only the routing table of the router is required to have the source address of the packet. The inbound interface of the packet is the same as the outgoing interface of the routing address to the source address. A loose URPF check can be configured when the inbound interface of the user network cannot ensure that the inbound interface of the packet is the same as that of the outbound interface.
Third, the advanced features of URPFStrict and loose inspections are two basic inspection mechanisms of URPF; on the basis of this, some devices further add default route inspection and ACL inspection functions, which makes the URPF inspection more flexible and comprehensive.
In particular, the device adds a link layer check based on the strict URPF check. After confirming that there is a route to the source address and the outbound interface, the device adds an ARP entry to ensure that the packet is received. The source MAC address is the same as the MAC address in the ARP entry. The link layer check function is more suitable for deployment when a single Layer 3 Ethernet interface is used to access a large number of PC users.
Fourth, summaryAttacks such as TCP Syn Flood, UDP flood, and ICMP flood may attack the target device or host by means of source address spoofing, causing severe degradation of the attacker's system performance and even system crash. URPF is a common technique used by network devices to prevent such attacks.
Different products from different manufacturers have different support for URFP functions. For specific applications, please check the related product manual to confirm the implementation of the device.
More Cisco technical articles are available at PASSHOT, which not only allows you to learn Cisco work skills but also helps you pass various CISCO exams, such as CCIE WRITTEN EXAM and CCIE LAB EXAM!
Comments