What is safe way to use Unicast Reverse Path Forwarding in ISP network ?

What is safe way to use Unicast Reverse Path Forwarding in ISP network ?

To answer this question, let's first review what is is unicast Revers Path Forwarding. 

Unicast Reverse Path Forwarding is security feature, it enable router to verify the reachability of the source address in packets being forwarded. if the source address is not valid, the packet is discarded.

CEF must be enable to make unicast RPF works

Unicast RPF works on in come direction only

Unicast RPF works in one of two different modes:  strict mode or loose mode

 Unciast RPF in Strict mode, the packet must be received on the interface that the router would use to forward the return path, otherwise the packet would be drop.  Unicast RPF configured in strict mode may drop legitimate traffic when asymmetric routing paths are present in the network.

 Unciast RPF in loose mode, the source address must appear in the routing table ( default route doesn't count to verify the source address by default behavior).but administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. Additionally, a packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An access list may also be specified that permits or denies certain source addresses in Unicast RPF loose mode

Unicast RPF configuration

 In interface configuration mode:
ip verify unicast source reachable-via {rx | any} [allow-default][allow-self-ping] [list]
"ip verify unicast source reachable-via rx" is strict mode
"ip verify unicast reverse-path" is old command for strict mode


"ip verify unicast source reachable-via any" is loose mode, 


   default router is not allow to be use in the source verification




"ip verify unicast source reachable-via any allow-default" is loose mode 


   and allows the default route to be used in the source verification process





Purposes of  using Unciast RPF 








    

  1. The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. 
    2. 

  2. Filtering Unallocated IP Addresses. Unallocated IP addresses, IP addresses for private internets as mentioned in RFC 1918, and special use IP addresses as mentioned in RFC 3330 can be a problem when they are used to route packets on the Internet. These addresses can be used to source attacks that could make it difficult or impossible to trace back to the source. Filtering these addresses at your network boundary will provide another layer of security.
    3. 






Safe way to use Unicast Reverse Path Forwarding in ISP network



There are two places for apply uncast RPF in ISP network





1. In access layer, the interface facing to customers.



If there is only one path go to the customer, you can use unicast RPF strict mode on the access router interface that is facing to customer. since the access router only has customer subnet ip route, so it can drop the spoof traffic which come from customer network.



2. In core gateway, the interfaces facing to upstreams



Since the asymmetric path existing,  only unicast RPF loose mode can be used on an uplink network interface.The core gateway router must has full global routing table. Applying unicast RPF on core gateway uplink network interface can't block the attack if forged IP source address is public IP address.  Applying unicast RPF on core gateway uplink network interface only can drop the in come packets that source IP address is Unallocated IP Addresse.



Network designer have to make sure core gateway router have full global routing table to satisfy the unicast RPF loose mode source verification process. if Network designer filter out some routes from full global routing table, then related legitimate traffic will be dropped due to no related route match the source ip address of packet.







So the safe way to apply the unicast RPF loose mode in the ISP's core gateway router interface that faces to upstream is below







1. Use the unicast RPF loose mode with allow-default argument. make sure there is valid default route in the routing table.  as long as has default route, even you filter out some routes from  global routing table, the related legitimate traffic still be forwarded.






The command is below:




ip verify unicast source reachable-via any allow-default







2. Use static routes point the Unallocated IP Addresses (private ip block, special use IP block) to Null interface. since the unallocated IP addressess point to Null interface, so unicast RPF drop those traffic which source ip address is in Unallocated IP Addresses range







Compare ACL with unicast RPF  







With Unicast RPF, ingress filtering is done at CEF PPS rates. This processing speed makes a difference when the link is more than 1 Mbps







For Network Design, Build and Consulting Services, 

please visit:

www.unistreamnetworks.com

































































No comments:















Post a Comment


















        

      









Subscribe to:
Posts (Atom)