Implementing URPF

This section describes the implementation of URPF.

Understanding URPF

It has become a commonplace practice for hackers planning a DoS attack to use forged IP addresses (the practice is known as IP address spoofing) and constantly change the source IP address to avoid detection by service providers.

Unicast Reverse Path Forwarding (URPF) is a mechanism for validating the source IP address of packets received on a router. A router configured with URPF performs a reverse path lookup in the FIB table to validate the presence of the source IP address. If the source IP address is listed in the table, then it indicates that the source is reachable and valid. If source IP address cannot be located in the FIB table, the packet is treated as malicious by the router and discarded.

The router supports the use of URPF in loose mode.URPF loose mode is enabled when the router is configured to validate only the prefix of the source IP address in the FIB and not the interface used by the packet to reach the router. By configuring loose mode, legitimate traffic that uses an alternate interface to reach the router is not mistaken to be malicious. URPF loose mode is very useful in multi-homed provider edge networks.

Configuring URPF Loose Mode

This section explains how you can configure URPF loose mode on the router for both IPv4 and IPv6 networks.

Before You Begin

Before you can configure URPF loose mode on a router, you must disable the default scale on the line card, as described in this section.


Note

IPv6 uRPF configuration requires the hw-module fib ipv6 scale internet-optimized-disable command for all types of cards, both TCAM cards and non-TCAM cards. By default, IPv6 uses internal memory for prefixes. Therefore, you need to configure the hw-module fib ipv6 scale internet-optimized-disable command and then reload the line card.



Note

The hw-module fib ipv4 scale internet-optimized command and hw-module fib ipv6 scale internet-optimized command are deprecated from Cisco IOS XR Software Release 7.3.1 and Release 7.4.1, respectively. Hence, if you are upgrading a router (where these configurations are already existing) to Release 7.3.1 or Release 7.4.1 or later, you might see a corresponding warning message stating so.



Note

Line cards must be reloaded after disabling the default scale. This is done to ensure that the hw-module command configuration takes immediate effect.



Note

On NCS55Ax systems with external TCAM (eTCAM), the dual capacity mode need not be disabled to enable uRPF.


For all types of line cards with TCAM:


RP/0/RP0/CPU0:router(config)# hw-module tcam fib ipv4 scaledisable
RP/0/RP0/CPU0:router(config)# hw-module fib ipv6 scale internet-optimized-disable
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# end
RP/0/RP0/CPU0:router# reload location all
Proceed with reload? [confirm] 

For all types of line cards without TCAM:


RP/0/RP0/CPU0:router(config)# hw-module fib ipv4 scale host-optimized-disable
RP/0/RP0/CPU0:router(config)# hw-module fib ipv6 scale internet-optimized-disable
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# end
RP/0/RP0/CPU0:router# reload location all
Proceed with reload? [confirm] 

Configuration

Use the following configuration to configure URPF loose mode on the router.


Note

You must configure both IPv4 and IPv6 commands (as described in this section) for URPF to work.


RP/0/RP0/CPU0:router(config)# interface Bundle-Ether1
RP/0/RP0/CPU0:router(config-if)# ipv4 address 10.0.0.1 255.255.255.0
RP/0/RP0/CPU0:router(config-if)# ipv4 verify unicast source reachable-via any
RP/0/RP0/CPU0:router(config-if)# ipv6 address 2001::1/64
RP/0/RP0/CPU0:router(config-if)# ipv6 verify unicast source reachable-via any
RP/0/RP0/CPU0:router(config-if)# commit

Running Configuration

Confirm your configuration as shown:

RP/0/RP0/CPU0:router(config-if)# show running-config
Thu Jul 27 14:40:38.167 IST
...
!
interface Bundle-Ether1
 ipv4 address 10.0.0.1 255.255.255.0
 ipv4 verify unicast source reachable-via any
ipv6 address 2001::1/64
 ipv6 verify unicast source reachable-via any
!

You have successfully configured URPF loose mode on the router.