[c-nsp] Unicast Reverse Path Forwarding - Loose Mode

Frederic LOUI frederic.loui at renater.fr
Thu Apr 8 08:05:57 EDT 2010 

As mentioned before, it still can be useful and necessary if you want to 
deploy some central filtering mechanism "RTBH" or variant.
More detailed here (As a start): 
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

After having activated uRPF in loose mode you can verify if you're 
effectively dropping packets using the "show ip interface  
<INTERFACE_NAME> | b  IP verify"

sh ip int X/Y
...
  IP verify source reachable-via ANY
   708 verification drops
   745456 suppressed verification drops
   0 verification drop-rate
...

Best regards / Frederic

-- 
Frederic LOUI / GIP RENATER

Pilotage & Suivi du Réseau
Network Backbone Engineering & Planning

Tel: +33 1 53 94 20 40 / Fax: +33 1 53 94 20 31
loui at renater.fr http://www.renater.fr 



Reuben Farrelly a écrit :
> I've been reading up about uRPF on Cisco's website, at:
>
> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html 
>
>
> I've heard many people suggest that having uRPF filtering on in an ISP 
> environment is a good idea (and best practice).
>
> However I'm grappling with the idea in terms of how effective it might 
> be, and if it will solve a specific problem that I have observed 
> recently.
>
> We are a multihomed ISP, and have uplinks to two separate carriers 
> taking full BGP feeds as well as multiple peering sessions from other 
> parties.  This means that there is some asymmetric routing present - a 
> situation which is pretty much unavoidable in this situation.
>
> Now going by the document above, deploying loose mode uRPF on our 
> edge/outside interfaces would mean that our border router would be 
> able to drop traffic from non routable sources from coming into our 
> network.
>
> Two questions:
>
> 1. Given the global routing table is increasing and there is not all 
> that much unallocated/non-routed IP networks left (and thus fewer 
> invalid source addresses to draw from), is uRPF much of an advantage 
> in todays ISP/IPv4 networks?
>
> 2. We are also seeing some traffic sourced from IPs within a specific 
> /24 subnet inside our AS, entering from outside of our AS.  It is 
> being sourced from somewhere on the Internet by some host(s) which are 
> sending the traffic out with our source address but are not actually 
> originating the traffic from within our AS (which I guess is along the 
> lines of a DoS but the traffic volumes are relatively low).  I am 
> dropping this on our 7200 via ACLs deployed on the outside 
> edges/interfaces of our network.  Could loose mode uRPF help solve 
> this problem?
>
> Thanks,
> Reuben
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list