RPF Process
Refer to Figure 15-5 for this next illustration of
RPF. Here is a simplified routing table based on the perimeter router's
configuration:
199.1.1.0/24 E1 199.1.2.0/24 E0 199.1.3.0/24 E0 199.1.4.0/24 E0 199.1.5.0/24 E0 199.1.6.0/24 E0 199.1.7.0/24 E0 0.0.0.0/0 E1
Figure 15-5. Unicast RPF Example
[View full size image]
As an example, assume that the perimeter router
receives a packet on E0 with an IP address of 199.1.0.5. With RPF, the
router knows that this is not valid because 199.1.0.0/25 is located off
E1. In this instance, the router drops the packet. Basically, the router
compares the source IP address with the routes in the routing table, to
make sure that the packet is received off the correct interface. The
router matches source IP packets only against best paths (the ones
populated in the routing table).
If an inbound ACL is applied to the interface on
which RPF is enabled, the router first checks the ACL and then performs
its RPF check.
NOTE
For RPF to function, CEF must be enabled on the
router. This is because the router uses the Forwarding Information Base
(FIB) of CEF to perform the lookup process, which is built from the
router's routing table. In other words, RPF does not really look at the
router's routing table; instead, it uses the CEF FIB to determine
spoofing.
RPF Usage
RPF works best at the perimeter of your network. If
you use it inside your network, it is used best when your routers have
more specific routes. With route summarization, a spoofing attack could
be in process, and it would be difficult to determine which part of the
summarized route the attack is occurring from. For external threats, the
more ISPs and companies use RPF, the more likely it is that spoofing
attacks can be a thing of the past. However, the more point-of-presence
(POP) connections that an ISP has, the more difficult it becomes to use
RPF because multiple paths might exist to the source. Using RPF as close
to the sources of the addresses as possible is the best solution for
ISPs directly connected to their customers.
RPF is deployed best on perimeter routers in networks
that have a single connection to the outside world. Of course, RPF will
work in multiple-connection environments, as well as with internal
routers, but it might not provide the optimum solution in detecting
spoofed packets. Figure 15-6 shows an example of the problem that can
occur when using RPF in a dual-connection network. In this example, the
perimeter router uses interface S0 to send traffic to the remote site.
However, using BGP, the Internet has determined that the best path to
return the traffic to the network on the left is to send this through S1
on the perimeter router. This creates a problem on the perimeter router
with RPF because using its routing table, the router expects this
traffic to come through S0. In this instance, the router would drop the
returning traffic.
Figure 15-6. RPF and Dual-Connection Problems
[View full size image]
One exception to using RPF for single connections is
to use dialup access on an access server. One of the main sources of
spoofing attacks is dialup access. By using RPF on your access servers,
you can limit your exposure to this method of spoofing attack.
An alternative to RPF is to use ACLs. However, the
main problem of ACLs are their performance and day-to-day maintenance.
RPF, on the other hand, relies on information from the routing table,
which can be built statically or dynamically. With CEF handling the
process, you are not taking a performance hit.
In this example, Unicast RPF
is applied at interface S0 on the enterprise router for protection from
malformed packets arriving from the Internet. Unicast RPF is also
applied at interface S5/0 on the ISP router for protection from
malformed packets arriving from the enterprise network.
Figure 40 Enterprise Network Using Unicast RPF for Ingress Filtering
Using the topography in , a typical configuration (assuming that CEF is turned on) on the ISP router would be as follows:
ip cef
interface loopback 0
description Loopback interface on Gateway Router 2
ip address 192.168.3.1 255.255.255.255
no ip redirects
no ip directed-broadcast
no ip proxy-arp
interface Serial 5/0
description 128K HDLC link to ExampleCorp WT50314E R5-0
bandwidth 128
ip unnumbered loopback 0
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip route 192.168.10.0 255.255.252.0 Serial 5/0
The gateway router configuration of the enterprise network (assuming that CEF is turned on) would look similar to the following:
ip cef
interface Ethernet 0
description ExampleCorp LAN
ip address 192.168.10.1 255.255.252.0
no ip redirects
no ip directed-broadcast
no ip proxy-arp
interface Serial 0
description 128K HDLC link to ExampleCorp Internet Inc WT50314E C0
bandwidth 128
ip unnumbered ethernet 0
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip route 0.0.0.0 0.0.0.0 Serial 0
Notice that Unicast RPF works with a single default route. There are no
additional routes or routing protocols. Network 192.168.10.0/22 is a
connected network. Hence, packets coming from the Internet with a source
address in the range 192.168.10.0/22 will be dropped by Unicast RPF.