Re: [nsp] RPF question...(followup from cisco)

From: lists (lists@lists.grot.org)
Date: Wed Jan 24 2001 - 13:05:28 EST


Thanks to whomever forwarded my message to Neil Jarvis at Cisco.
Forwarded by permission of Neil Jarvis.

----- Forwarded message -----

To: lists@lists.grot.org (lists)
Subject: Re: [nsp] RPF question...
From: Neil Jarvis <njarvis@cisco.com>
Date: 24 Jan 2001 07:46:54 +0000
In-Reply-To: <20010122140748.A92462.3667@mighty.grot.org>

>>>>> "lists" == lists <lists@lists.grot.org> writes:

lists> We have an annoying spoofing situation that might be solved by
lists> putting RPF on an the router interface, but since I don't see
lists> this particular case covered in the literature, I figure I
lists> might as well ask.

lists> Cisco e4/0/4 x.y.125.1]----<x.y.125.0/24 subnet with many
lists> machines on it one of the machines on the subnet is spoofing
lists> packets as x.y.125.1

lists> Although the route for x.y.125.1 points out that interface and
lists> it would seem that RPF would not prevent the spoofing, doing a:

lists> sh ip cef | include x.y.125

lists> gives:

lists> x.y.125.0/24 attached Ethernet4/0/4
lists> x.y.125.0/32 receive
lists> x.y.125.1/32 receive
lists> x.y.125.2/32 x.y.125.2 Ethernet4/0/4
lists> x.y.125.41/32 x.y.125.41 Ethernet4/0/4
lists> x.y.125.42/32 x.y.125.42 Ethernet4/0/4

lists> Which seems to indicate that from a CEF perspective,
lists> x.y.125.1/32 and x.y.125.0/32 (set to be broadcast) are treated
lists> differently than the rest of x.y.125.0/24 and might in fact
lists> prevent the spoofed packet from making it past the Cisco...

lists> Can someone confirm that this is in fact the behaviour? (That
lists> particular router has been melting all morning due to high-pps
lists> DoS originating from the spoofing host so I'm reluctant to try
lists> it and cause other problems -- instead, we have just taken the
lists> offending box off of that subnet but I want to prevent this
lists> from happening in the future)

lists> I can't find any text on the Cisco site to address this
lists> particular case, but I believe I'm correct in believing that
lists> enabling RPF on that interface will in fact prevent packets
lists> being spoofed as being from x.y.125.1 by any hosts on that
lists> subnet.

lists> Thanks,
lists> Adi

It depends on the destination address and the image version:

If the DoS packets had both the source and destination addresses set
to x.y.125.1 (the address of the router's interface), then older
versions of RPF will not drop the packets because it looks like it
originated from the router (the router could be a ping-ing itself).

However, this behaviour was changed with the commit of CSCdr93424.
Now the ability to ping your own interface addresses must be
explicitly enabled in the configuration. If the feature is not
enabled, then a DoS packet with the source and destination addresses
of the router's interface will be dropped by RPF.

If the destination address was not x.y.125.1, RPF will drop the
packets in all versions where RPF is supported.

Hope this helps,

-Neil

--
  Neil Jarvis, IOS FIB Technical Leader, Cisco Systems (Edinburgh) Ltd
    3rd Floor, 96 Commercial Street, Edinburgh, EH6 6LX, Scotland
          Tel: +44 (131) 561 3631   Mob: +44 (7808) 784224      

----- End forwarded message -----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:26 EDT