Friday, July 4, 2008

RPF check

RPF check is another way to prevent spoofing. If you are familiar with Multicast routing then this shouldn't be too hard to understand. Basically the router looks up the source IP address of the packet in the route-table and (depending on the configuration) can drop it if the source interface doesn't match the interface in the route table.

For example, if R4 receives a packet on serial 1/0 but the source address isn't in it's table it drops the packet. Let's try it out.

Here's our topology:

[R1]----[R4] s1/0 ----[R5]

R1-R4: 10.0.0.0/24
R4-R5: 155.1.45.0/24

OSPF area 0 is on all interfaces

R5 has 2 loopbacks:
155.1.55.55/32
155.1.155.155/32

We are not going to advertise the loopbacks into OSPF so that the RPF check will fail on R4. We are also going to use an ACL so that only one loopback is actually checked via RPF.

On R4:

R4(config)#access-list 100 permit ip 150.1.55.0 0.0.0.255 any
R4(config)#access-list 100 deny ip any any log

R4(config-if)#int s1/0
R4(config-if)#ip verify unicast reverse-path 100

That's it for the config! Let's look at R4's routing table.

R4#show ip route | begin Gateway
Gateway of last resort is not set

155.1.0.0/24 is subnetted, 3 subnets
C 155.1.0.0 is directly connected, Serial1/1
C 155.1.4.0 is directly connected, Loopback0
C 155.1.45.0 is directly connected, Serial1/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0

Notice that R4 has no route to either of R5's loopbacks, but it will only perform an RPF check on packets coming from 155.1.155.155. On R5 (both pings get no reply because R4 has no route back but only the first set get blocked by R4 as we'll see below):

R5#ping 10.0.0.1 source 155.1.155.155

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 155.1.155.155
.....
Success rate is 0 percent (0/5)
R5#ping 10.0.0.1 source 155.1.55.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 155.1.55.55
.....
Success rate is 0 percent (0/5)
R5#

On R4:

R4#
*Mar 1 08:21:29.285: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 155.1.155.155 -> 10.0.0.1 (0/0), 1 packet
R4#

For more go here:
Configuring Unicast Reverse Path Forwarding

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.