Notas Unicast Reverse Path Forwarding (uRPF)

O uRPF permitir analisar a Source IP do pacote e decidir se faz forwading ou Drop do mesmo com base no método definido. Esta funcionalidade permite limitar o DDoS com base em Spoof Address. Para examinar o Source IP dos pacotes no incoming interface ativa-se o Reverse-Path-Forwarding (uRPF) através do comando ip verify unicast source reachable-via { rx  |  any } [allow-default] [allow-self-ping] [ list] ( O CEF deverá estar ativo para o uRPF funcionar).

Os pacotes podem ser examinados de 2 formas:

  • Strict RPF – Usando o parâmetro rx, o router verifica atravĂ©s do rouitng se a interface de outgoing será a mesma por onde foram recebidos os pacotes. Caso crontrário os pacotes sĂŁo descartados.
  • Loose RPF — Usando o parâmetro any, o router verifica de existe alguma rota que seja possĂ­vel usar para chegar ao source IP.

O comando ignora a default route quando efetua a análise (by default), para incluir a default route na análise deve ser incluido o parâmetro allow-default.

Uma das preocupações podem ser os flows assimétricos , aquando da implementação desta feature, o Loose mode e uma opção escalável para redes com asymmetric routing paths.

Exemplos:

Ligações:

(192.168.10.0/24)R2-f0/1——-f0/0-R3(spoof-address Loop10)

Exemplo 1:

Spoofing Address Source 192.168.10.0/24

R2(config)#
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.20.2 255.255.255.0
ip verify unicast source reachable-via rx
!
ip route 0.0.0.0 0.0.0.0 192.168.20.1

R3(config)#
ip route 0.0.0.0 0.0.0.0 192.168.20.2

interface loop10
desc spoof address
ip address 192.168.10.1 255.255.255.0

interface loop11
ip address 1.1.1.1 255.255.255.0

interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0

R3(config)#do ping 10.10.10.10 source loop10 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
..
Success rate is 0 percent (0/2)

R2#sh ip traffic
IP statistics:

Drop: 1982 encapsulation failed, 0 unresolved, 0 no adjacency
9 no route, 2 unicast RPF, 0 forced drop
0 options denied

R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes

IP verify source reachable-via RX
2 verification drops

Exemplo 2:
Excluir redes do uRPF check usando uma ACL

R2(config)#

access-list 10 permit 1.1.1.0 0.0.0.255

interface FastEthernet0/1
no ip verify unicast source reachable-via rx
ip verify unicast source reachable-via rx 10

R3(config)#
no interface loopback10

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 30/40/49 ms

Exemplo 3:

Permitir que as qualquer source (default route) seja permitida nos check dos uRPF

R3(config)#

interface FastEthernet0/1
no ip verify unicast source reachable-via rx 10
ip verify unicast source reachable-via rx

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
..
Success rate is 0 percent (0/2)

!Permitir o Default Route no uRPF, caso nao exista nenhuma rota especifica

R2(config)#

interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default

R3(config)#do ping 192.168.10.1 source loop11 rep 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 40/46/52 ms

R2#sh ip int f0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 192.168.20.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes

IP verify source reachable-via RX, allow default
4 verification drops

Leave a Reply

Your email address will not be published. Required fields are marked *