Unicast Reverse Path Forwarding (Unicast RPF) is a feature that can reduce the effectiveness of packets with spoofed source addresses. A network device using Unicast RPF evaluates the source of each IP packet against its local routing table in order to determine source address validity. While it can detect and filter some spoofed traffic, Unicast RPF does not provide complete protection against spoofing because spoofed and valid packets with the same source address may arrive on the same interface.
Unicast RPF operates in two modes: strict and loose. In strict mode, the Unicast RPF feature uses the local routing table to determine if the source address within a packet is reachable through the interface on which the packet was received. If it is reachable, the packet is permitted; if it was not, the packet is dropped. Strict mode Unicast RPF is best deployed on network boundaries where traffic asymmetry is not prevalent.
Strict mode Unicast RPF is enabled on Cisco IOS devices using the interface configuration command ip verify unicast source reachable-via rx; the previous format of this command was ip verify unicast reverse-path. Strict mode Unicast RPF can be enabled on the Cisco PIX, ASA, and FWSM firewalls using the ip verify reverse-path interface interface configuration command.
In loose mode Unicast RPF, if the source address of a packet is reachable through any interface on the Unicast RPF enabled device, the packet is permitted. If the source address of the IP packet is not present in the routing table, the packet is dropped. Loose mode Unicast RPF can be enabled on Cisco IOS devices using the ip verify source reachable-via any interface configuration command; loose mode Unicast RPF is not available on Cisco PIX, ASA or FWSM firewalls.
More information about Unicast RPF is available in the Applied Intelligence Understanding Unicast Reverse Path Forwarding white paper.
biOos
No comments:
Post a Comment