View Source: ReversePathFiltering - Waikato Linux Users Group

Edit PageHistory Diff Info LikePages
Reverse Path Filtering (RPF) is a technology that is used on InternetProtocol routers to try and prevent source address spoofing, which is often used for DenialOfService attacks. RPF works by checking the source IP of each packet received on an interface against the routing table. If the best route for the source IP address does not use the same interface that the packet was received on the packet is dropped. There are some situations where this feature will obviously not be the desired behaviour and will need to be disabled. In general if you are not multi-homed then enabling RPF on your router will not be a problem.

----
!Example
Assume a router with the following routing table

<?plugin OldStyleTable
|Dest|Mask|Interface
|10.0.0.0|255.0.0.0|eth0
|192.168.0.0|255.255.0.0|eth1
|default|*|eth0
?>

A packet arriving at eth0 with a source IP address of 10.10.10.2 would not be dropped, as the best route for 10.10.10.2 is out eth0.

A packet arriving at eth0 with a source IP address of 192.168.40.2 would be dropped as the best route for 192.168.40.2 is out eth1, a different interface to what the packet was received on.
----

!! Controlling RPF in Linux

In linux RPF is controlled by the rp_filter kernel option found in /proc/sys/net/ipv4/conf/*/rp_filter. Setting this option to 1 enables reverse path filtering on the specified interface, while setting it to 0 disables it. conf/all/rp_filter must be set to 1 for filtering to work on any interface.

See ip-sysctl.txt in the Documentation directory of the kernel source for more information

----
!! Controlling RPF on Cisco Routers

To use RPF your router must support CiscoExpressForwarding.%%%

To enable Reverse Path Forwarding.%%%
<verbatim>
  Router#
  Router#configure terminal
  Router(config)#int <<interface-type>> <<Interface-num>>
  Router(config-if)#ip verify unicast reverse-path
  Router(config-if)#end
</verbatim>

To verify the RPF is working%%%
''Look closely at the last three lines''%%%
<verbatim>
  Router#show ip interface
  <<Interface-type>> <<interface-num>> is up, line protocol is up
    Internet address is xxx.xxx.xxx.xxx/xx
    Broadcast address is xxx.xxx.xxx.xxx
 ...snip...
    WCCP Redirect exclude is disabled
    BGP Policy Mapping is disabled
    __IP verify source reachable-via RX, allow default__
     __4 verification drops__
     __0 suppressed verification drops__
</verbatim>

See http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7d4.html for more details.
-----
!!Configuring RPF on Juniper Routers

To enable Reverse Path Forwarding

<verbatim>
 [[edit]
 routing-options {

    forwarding-table     {

       unicast-reverse-path (active-paths | feasible-paths);

    }

 }
</verbatim>

See http://www.juniper.net/techpubs/software/junos/junos63/swconfig63-routing/html/routing-generic-config11.html for more details.

----

CategoryNetworking
2 pages link to ReversePathFiltering:
Last edited on Wednesday, February 28, 2007 5:45:39 pm by GerwinVanDeSteeg
Edit PageHistory Diff Info LikePages