Cisco Cisco IOS Software Release 12.0(13)S7
Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Series Internet Router
Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Router
5
Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Series Internet Router
OL-15426-01
By implementing ingress traffic filtering as specified in RFC 2827, the Unicast RPF in Strict Mode
feature renders DoS attacks based on forged source addresses ineffective by forwarding only packets that
have source addresses that are valid and consistent with the IP routing table.
feature renders DoS attacks based on forged source addresses ineffective by forwarding only packets that
have source addresses that are valid and consistent with the IP routing table.
RFC 2827 defines the ingress traffic filtering requirements designed to discard packets with invalid
source IP addresses. Common examples of invalid source IP addresses include:
source IP addresses. Common examples of invalid source IP addresses include:
•
Valid IP network addresses that do not originate in the network
•
IP address allocated for private intranets or non allocated IP address ranges (as specified by
RFC 1918)
RFC 1918)
To be most effective in preventing source IP addresses spoofing, enable Unicast RPF in strict mode on
a PE router at the edge of your network. Ingress traffic filtering on a PE router minimizes the range of
valid IP addresses and discards anomalous IPv4 packets as close to their origin as possible.
a PE router at the edge of your network. Ingress traffic filtering on a PE router minimizes the range of
valid IP addresses and discards anomalous IPv4 packets as close to their origin as possible.
After you secure a network from the use of invalid source IP addresses, DoS attacks may start from valid,
reachable IP addresses, which permits the identification of the originator. See the
reachable IP addresses, which permits the identification of the originator. See the
for more information.
Protection Using Black Hole Filtering
To dynamically and efficiently drop traffic from a specific, valid IP address that is identified as the
source of an attack, the Unicast RPF in Strict mode feature uses two additional ingress traffic filtering
techniques:
source of an attack, the Unicast RPF in Strict mode feature uses two additional ingress traffic filtering
techniques:
•
Source IP-based black hole filtering
•
Source IP-based Remote Triggered Black Hole (RTBH) filtering
These traffic filtering techniques provide network security that reacts quickly to mitigate multiple,
shifting attacks, including Denial of Service (DoS), Distributed DoS (DDoS), and worm attacks, that
originate from a particular IPv4 address. All incoming IPv4 traffic from a known IPv4 address that is
identified as the source of an attack is dropped.
shifting attacks, including Denial of Service (DoS), Distributed DoS (DDoS), and worm attacks, that
originate from a particular IPv4 address. All incoming IPv4 traffic from a known IPv4 address that is
identified as the source of an attack is dropped.
As an advanced security feature, you can place black holes in a network in which traffic is forwarded
and dropped. Once an attack has been detected, black holing can be used to drop all attack traffic at the
edge of a service-provider network, based on source IP addresses. The attack traffic is forwarded to a
null0 interface. Null0 is a pseudo-interface that is always up and can never forward or receive traffic.
and dropped. Once an attack has been detected, black holing can be used to drop all attack traffic at the
edge of a service-provider network, based on source IP addresses. The attack traffic is forwarded to a
null0 interface. Null0 is a pseudo-interface that is always up and can never forward or receive traffic.
RTBH filtering is a technique that uses routing protocol updates to manipulate route tables at the network
edge or anywhere else in the network to specifically drop undesirable traffic before it enters the
service-provider network. For more information, refer to
edge or anywhere else in the network to specifically drop undesirable traffic before it enters the
service-provider network. For more information, refer to
Strict Versus Loose Checking Mode
On the Cisco 12000 series Internet router, in Cisco IOS Release 12.0(32)S and earlier releases, the
Unicast RPF feature is supported only in loose checking mode to filter IPv4 traffic. Starting in
Cisco IOS Release 12.0(33)S, Unicast RPF in strict mode is also supported. The differences between the
two modes are as follows:
Unicast RPF feature is supported only in loose checking mode to filter IPv4 traffic. Starting in
Cisco IOS Release 12.0(33)S, Unicast RPF in strict mode is also supported. The differences between the
two modes are as follows:
•
Strict checking mode verifies that the source IPv4 address of an IPv4 packet exists in the routing
table and that the source IPv4 address is reachable by a path through the input interface (the interface
on which the packet enters the router). To configure strict checking mode, use one of the following
commands:
table and that the source IPv4 address is reachable by a path through the input interface (the interface
on which the packet enters the router). To configure strict checking mode, use one of the following
commands: