[c-nsp] Unicast Reverse Path Forwarding - Loose Mode

Steve Bertrand steve at ibctech.ca
Thu Apr 8 08:48:39 EDT 2010


On 2010.04.08 06:46, Reuben Farrelly wrote:
> I've been reading up about uRPF on Cisco's website, at:
> 
> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html
> 
> 
> I've heard many people suggest that having uRPF filtering on in an ISP
> environment is a good idea (and best practice).

Good idea and exceptionally useful.

> 1. Given the global routing table is increasing and there is not all
> that much unallocated/non-routed IP networks left (and thus fewer
> invalid source addresses to draw from), is uRPF much of an advantage in
> todays ISP/IPv4 networks?

It is a very big advantage. Even if you can prevent a single packet with
invalid source or destination, it is worth it. Especially looking at it
from the inside out... you can prevent other networks from having to
receive bad things from leaving your own network.

> 2. We are also seeing some traffic sourced from IPs within a specific
> /24 subnet inside our AS, entering from outside of our AS.  It is being
> sourced from somewhere on the Internet by some host(s) which are sending
> the traffic out with our source address but are not actually originating
> the traffic from within our AS (which I guess is along the lines of a
> DoS but the traffic volumes are relatively low).  I am dropping this on
> our 7200 via ACLs deployed on the outside edges/interfaces of our
> network.  Could loose mode uRPF help solve this problem?

I don't believe that loose mode can really help with this, so ACL is
likely still advisable. Strict mode most certainly would help, but as
you've said, you have multiple possible paths. If the traffic level ever
does reach a point where the returned packets overwhelm a
connection/interface, ask your upstream to filter it on their egress
interface to you (unless you have a setup that you would see your own IP
space legitimately exiting one part of your network, going through the
Internet back to you).

As others have pointed out, loose-mode uRPF is absolutely great as an
immediate and automated blackhole/sinking technique for your entire
border, for both destination and source addresses.

My network has strict mode enabled on all interfaces where it is
possible (single-homed clients, multi-homed clients that only use a
backup link if the primary is down etc), and loose everywhere else.

I have a couple of route servers (2691's) that collect the BOGONs via
BGP from Team Cymru, which in turn advertises these routes to the edge
routers with a next-hop of the null interface. Given that the null route
is valid in the eyes of uRPF, any traffic from the BOGONs will be
dropped, coming into any interface.

Further to that, it makes it exceptionally easy to null your own, or
someone elses traffic network-wide in the event of a problem. Simply
insert a tagged static on your server or trigger box, and done.

Another ability that this provides you with, is sinkholing the bad
traffic. Instead of sending a particular src/dst to the null interface,
you can set up a box on the network, route the bad traffic to that, and
you'll be able to monitor/save the actual data if you ever need it, or
need to do further troubleshooting. I do this from time to time, and it
is surprising how much garbage one can receive from a network that does
no filtering whatsoever.

I guess what I'm trying to say is that enabling it is good, and I've
never run into any situation where enabling loose mode has caused problems.

Steve


More information about the cisco-nsp mailing list