| Rev | Author | # | Line |
|---|---|---|---|
| 7 | MattBrown | 1 | Reverse Path Filtering (RPF) is a technology that is used on InternetProtocol routers to try and prevent source address spoofing, which is often used for DenialOfService attacks. RPF works by checking the source IP of each packet received on an interface against the routing table. If the best route for the source IP address does not use the same interface that the packet was received on the packet is dropped. There are some situations where this feature will obviously not be the desired behaviour and will need to be disabled. In general if you are not multi-homed then enabling RPF on your router will not be a problem. |
| 5 | CraigBox | 2 | |
| 7 | MattBrown | 3 | ---- |
| 4 | !Example | ||
| 5 | Assume a router with the following routing table | ||
| 5 | CraigBox | 6 | |
| 9 | GerwinVanDeSteeg | 7 | <?plugin OldStyleTable |
| 7 | MattBrown | 8 | |Dest|Mask|Interface |
| 9 | |10.0.0.0|255.0.0.0|eth0 | ||
| 10 | |192.168.0.0|255.255.0.0|eth1 | ||
| 11 | |default|*|eth0 | ||
| 9 | GerwinVanDeSteeg | 12 | ?> |
| 5 | CraigBox | 13 | |
| 7 | MattBrown | 14 | A packet arriving at eth0 with a source IP address of 10.10.10.2 would not be dropped, as the best route for 10.10.10.2 is out eth0. |
| 5 | CraigBox | 15 | |
| 7 | MattBrown | 16 | A packet arriving at eth0 with a source IP address of 192.168.40.2 would be dropped as the best route for 192.168.40.2 is out eth1, a different interface to what the packet was received on. |
| 17 | ---- | ||
| 5 | CraigBox | 18 | |
| 7 | MattBrown | 19 | !! Controlling RPF in Linux |
| 5 | CraigBox | 20 | |
| 7 | MattBrown | 21 | In linux RPF is controlled by the rp_filter kernel option found in /proc/sys/net/ipv4/conf/*/rp_filter. Setting this option to 1 enables reverse path filtering on the specified interface, while setting it to 0 disables it. conf/all/rp_filter must be set to 1 for filtering to work on any interface. |
| 22 | |||
| 23 | See ip-sysctl.txt in the Documentation directory of the kernel source for more information | ||
| 5 | CraigBox | 24 | |
| 25 | ---- | ||
| 7 | MattBrown | 26 | !! Controlling RPF on Cisco Routers |
| 27 | |||
| 28 | To use RPF your router must support CiscoExpressForwarding.%%% | ||
| 5 | CraigBox | 29 | |
| 30 | To enable Reverse Path Forwarding.%%% | ||
| 9 | GerwinVanDeSteeg | 31 | <verbatim> |
| 5 | CraigBox | 32 | Router# |
| 33 | Router#configure terminal | ||
| 34 | Router(config)#int <<interface-type>> <<Interface-num>> | ||
| 35 | Router(config-if)#ip verify unicast reverse-path | ||
| 36 | Router(config-if)#end | ||
| 9 | GerwinVanDeSteeg | 37 | </verbatim> |
| 5 | CraigBox | 38 | |
| 39 | To verify the RPF is working%%% | ||
| 40 | ''Look closely at the last three lines''%%% | ||
| 9 | GerwinVanDeSteeg | 41 | <verbatim> |
| 5 | CraigBox | 42 | Router#show ip interface |
| 43 | <<Interface-type>> <<interface-num>> is up, line protocol is up | ||
| 44 | Internet address is xxx.xxx.xxx.xxx/xx | ||
| 45 | Broadcast address is xxx.xxx.xxx.xxx | ||
| 6 | CraigBox | 46 | ...snip... |
| 5 | CraigBox | 47 | WCCP Redirect exclude is disabled |
| 48 | BGP Policy Mapping is disabled | ||
| 49 | __IP verify source reachable-via RX, allow default__ | ||
| 50 | __4 verification drops__ | ||
| 51 | __0 suppressed verification drops__ | ||
| 9 | GerwinVanDeSteeg | 52 | </verbatim> |
| 7 | MattBrown | 53 | |
| 54 | See http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7d4.html for more details. | ||
| 5 | CraigBox | 55 | ----- |
| 7 | MattBrown | 56 | !!Configuring RPF on Juniper Routers |
| 6 | CraigBox | 57 | |
| 7 | MattBrown | 58 | To enable Reverse Path Forwarding |
| 6 | CraigBox | 59 | |
| 9 | GerwinVanDeSteeg | 60 | <verbatim> |
| 8 | CraigBox | 61 | [[edit] |
| 7 | MattBrown | 62 | routing-options { |
| 6 | CraigBox | 63 | |
| 7 | MattBrown | 64 | forwarding-table { |
| 6 | CraigBox | 65 | |
| 7 | MattBrown | 66 | unicast-reverse-path (active-paths | feasible-paths); |
| 6 | CraigBox | 67 | |
| 7 | MattBrown | 68 | } |
| 6 | CraigBox | 69 | |
| 7 | MattBrown | 70 | } |
| 9 | GerwinVanDeSteeg | 71 | </verbatim> |
| 6 | CraigBox | 72 | |
| 7 | MattBrown | 73 | See http://www.juniper.net/techpubs/software/junos/junos63/swconfig63-routing/html/routing-generic-config11.html for more details. |
| 6 | CraigBox | 74 | |
| 75 | ---- | ||
| 76 | |||
| 5 | CraigBox | 77 | CategoryNetworking |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()