Advanced | Help | Encyclopedia
Directory

Encyclopaedia
U
Un
Una
Unb
Unc
Und
Une
Unf
Ung
Unh
Uni
Unj
Unk
Unl
Unm
Unn
Uno
Unp
Unq
Unr
Uns
Unt
Unu
Unv
Unw
Unx
Uny
Unz

Reverse path forwarding

Reverse path forwarding [RPF] refers to a feature present in modern internet routers, which may be used to reduce the risk of customers attacking other internet hosts.

One of the problems network service providers face today is customers generating packets with fake source IP addresses, a technique known as spoofing. This is often done in order to initiate a denial-of-service attack against another internet host or network.

Since the source IP addresses of the incoming packets change, often randomly, and for every packet, the target of such an attack can't easily filter out the attacking packets. However, the source of the attack, i.e. the network service provider of the attacking host, has a simple way to stop such packets from ever leaving its network. A router always knows which networks are reachable via any of its interfaces. By checking the source IP address of all packets coming in via an interface against the networks known to be behind that interface, the router can simply drop packets that aren't supposed to come from there.

Hence, reverse path forwarding refers to the forwarding of packets coming from an allowed network; "reverse path" simply means "source address".

Table of contents

Implementations

Checking the reverse path is generally not enabled by default. If required, it should be enabled either globally, or per interface. Some implementations offer two different RPF modes: loose and strict. Strict RPF is as described above, while loose mode will accept a packet if its source IP address is in the routing table, though not necessarily behind the interface the packet comes from.

Strict RPF mode is suitable for edge devices and routers running simple, non-multihomed networks. Loose RPF mode is more suited to core routers in large networks.

Cisco

Cisco IOS calls this feature Unicast Reverse Path Forwarding. It can be enabled per interface, and requires Cisco Express Forwarding. The following example turns on URPF on an interface: 

Router(config)#interface FastEthernet1/0
Router(config-if)#ip verify unicast reverse-path

Linux

The following shell command enables reverse path filtering on an interface: 

echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Instead of eth0, the keyword all may be used, to enable RPF on all interfaces.

Juniper

The following JunOS command may be used to enable RPF on an interface: 

edit interfaces so-0/1/0 family inet rpf-check


External Links








Links: Addme | Keyword Research | Paid Inclusion | Femail | Software | Completive Intelligence

Add URL | About Slider | FREE Slider Toolbar - Simply Amazing
Copyright © 2000-2008 Slider.com. All rights reserved.
Content is distributed under the GNU Free Documentation License.