Re: Understanding Loose uRPF for preventing spoof attacks from Carlos G Mendioroz on 2010-05-10 (Ccielab archives 05/2010)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Mon, 10 May 2010 15:33:20 -0300

uRPF has, appart from vrf modes, 4 alternatives:
loose/strict, with or w/o default.

Strict needs the (default/specific network) pointing to the incoming if.
Loose needs the (default/specific network) pointing somewhere.

Loose with default is kind of useless, IMHO, but loose needs the route
to the origing to be at the RIB, so the source has to be known...

-Carlos

Jorge Cortes @ 10/5/2010 12:42 -0300 dixit:
> Hi Team,
>
> I've been thinking about uRPF for preventing spoof attacks and so far
> this is what I understand:
>
> When strict uRPF is in use, the incoming packets are checked against
> the routing table and there must be an exact match [network, outgoing
> interface] in it in order for the packet to be forwarded, otherwise it
> is dropped.
> When loose uRPF is in use, the routing table is only checked for
> routes pointing to the source network of the incoming packets, but a
> check on the incoming interface is not enforced.
>
> So given the above facts strict uRPF is very well suited for
> preventing spoof attacks when the offending packets have an spoofed IP
> address in any network that is not in the routing table, as well as
> internal networks; however, I can see that loose uRPF fails to prevent
> spoof attacks when the offending packets have an spoofed IP address in
> the internal network, since the routers have routes for the internal
> networks and there is no check enforced on the incoming interface, is
> my understanding correct?
>
> If we have a multihomed topology where the traffic flows are
> asymmetric and we are asked to prevent spoof attacks with IP addresses
> in the internal network, what would be the way to accomplish this? The
> simplest solution that comes to my mind would be applying ingress
> access lists denying packets with source ip address from the internal
> network on the interfaces facing the external network, but I would
> like to expand the possibilities.
>
> Thanks,
> Jorge
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Mon May 10 2010 - 15:33:20 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART