Friday, February 3, 2017

Unicast Reverse Path Forwarding (uRPF)



Unicast Reverse Path Forwarding (uRPF)  is used for verifying that the source of an IP packet is reachable.

How does it work?:
  • uRPF gets applied to an interface on which it verifies the source address.
  • It verifies the source by using CEF's (Cisco Express Forwarding) FIB (Forward Information Base)

uRPF has two modes:
  • Strict The router verifies the source of the IP packet via the the interface on which the packet was received.
  • Loose - The router verifies the source of the IP packet via ANY interface.
  • This is configured by using {any | rx} on the following interface command:
 Router1(config-if)# ip verify unicast source reachable-via ?
   any  Source is reachable via any interface
   rx   Source is reachable via interface on which packet was received



uRPF Lab (Strict Mode): 

Problem: Router2 is using a loopback interface to send a spoofed message to the server 192.168.0.10. Router 1 knows how to get to the connected 192.168.0.0/24 network and forwards the message to the server (PC1). We can mitigate this risk by enabling uRPF on Router1's g0/0 interface.



Configuration

Note: For the sake of the lab, we will point the uRPF to an ACL that is going to log so that we can verify traffic passing the interface. Currently, the uRPF only accepts numbered ACLs

Step 1: Verify that CEF is on.
Note: You can do this per interface to get more details such as if 'IP unicast RPF check' is enabled/disables.
 Router1# show cef int gi0/0
 GigabitEthernet0/0 is up (if_number 3)
   Corresponding hwidb fast_if_number 3
   Corresponding hwidb firstsw->if_number 3
   Internet address is 10.0.0.1/24
   ICMP redirects are always sent
   Per packet load-sharing is disabled
   IP unicast RPF check is disabled
   Input features: Access List
   IP policy routing is disabled
   BGP based policy accounting on input is disabled
   BGP based policy accounting on output is disabled
   Hardware idb is GigabitEthernet0/0
   Fast switching type 1, interface type 27
   IP CEF switching enabled
   IP CEF switching turbo vector
   IP CEF turbo switching turbo vector
   IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
   Input fast flags 0x1, Output fast flags 0x0
   ifindex 3(3)
   Slot  Slot unit 0 VC -1
   IP MTU 1500
 
Step 2 (Optional): Configure the uRPF ACL.
 Router1(config)# ip access-list standard 99 Router1(config-std-nacl)# 10 deny any log
 
Step 3: Configure uRPF Strict on Router1's G0/0 interface.
Router1(config)# int gi0/0
Router1(config-if)# ip verify unicast source reachable-via rx {99}

Step 4: Verify that 'IP unicast RPF check' is enabled based on the same command ran on Step 1.
 Router1# show cef int gi0/0
 GigabitEthernet0/0 is up (if_number 3)
   Corresponding hwidb fast_if_number 3
   Corresponding hwidb firstsw->if_number 3
   Internet address is 10.0.0.1/24
   ICMP redirects are always sent
   Per packet load-sharing is disabled
   IP unicast RPF check is enabled
   Input features: Access List
   IP policy routing is disabled
   BGP based policy accounting on input is disabled
   BGP based policy accounting on output is disabled
   Hardware idb is GigabitEthernet0/0
   Fast switching type 1, interface type 27
   IP CEF switching enabled
   IP CEF switching turbo vector
   IP CEF turbo switching turbo vector
   IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
   Input fast flags 0x1, Output fast flags 0x0
   ifindex 3(3)
   Slot  Slot unit 0 VC -1
   IP MTU 1500
Conclusion: If we send packets with a source that is not in the routing table for G0/0, the packet will be dropped.
Here is what the FIB looks like for g0/0:
 Router1# show ip cef g0/0
 0.0.0.0/0
   nexthop 10.0.0.2 GigabitEthernet0/0
 10.0.0.0/24
   attached to GigabitEthernet0/0
 10.0.0.2/32
   attached to GigabitEthernet0/0
 10.1.0.0/16
   nexthop 10.0.0.2 GigabitEthernet0/0
Note: The default-route (0.0.0.0/0 next hop 10.0.0.2 in this case) is still going to be dropped. The allow-default option needs to be allowed using the command below. There are also other options.
 Router1(config-if)# ip verify unicast source reachable-via rx ?
   <1-199>          IP access list (standard or extended)
   <1300-2699>      IP expanded access list (standard or extended)
   allow-default    Allow default route to match when checking source address
   allow-self-ping  Allow router to ping itself (opens vulnerability in
                    verification)
   l2-src           Check packets arrive with correct L2 source address
   <cr>

Verification Steps:

Step 1: Ping from loopback on Router 2 to 192.168.0.10
Router2# ping 192.168.0.10 source 192.168.0.2
Step 2: Review Router 1 log from the ACL setup earlier.
Router1# *Feb  3 12:07:59.059: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.0.2 5 packets
Note: You can also run  'sh ip traffic'  to see how many packets have been dropped globally by uRPF. You can also see this per interface by doing a  'sh ip int gi0/0' .
 Router1# show ip traffic 
 IP statistics:
   Rcvd:  125 total, 80 local destination
          0 format errors, 0 checksum errors, 0 bad hop count
          0 unknown protocol, 0 not a gateway
          0 security failures, 0 bad options, 0 with options
   Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
          0 timestamp, 0 extended security, 0 record route
          0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
          0 other
   Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
          0 fragmented, 0 fragments, 0 couldn't fragment
   Bcast: 0 received, 0 sent
   Mcast: 0 received, 0 sent
   Sent:  85 generated, 30 forwarded
   Drop:  5 encapsulation failed, 0 unresolved, 0 no adjacency
          0 no route, 25 unicast RPF, 0 forced drop, 0 unsupported-addr
          0 options denied, 0 source IP address zero


No comments:

Post a Comment