RE: Understanding Loose uRPF for preventing spoof attacks

Jorge,

Long, long story...

Very briefly, no the Feasible uRPF has not been implemented within the IOS yet. In dual or multihomed SP/enterprise networks we usually use BGP to be able to deploy (even) the Strict mode; BUT to get rid of that BGP thing you could use the "Feasible feature" :)

If this imaginary discussion is not still crystal clear and you need to know more; please give me a buzz. This however sounds more like a CCIE security to me.

--------------------------
Kambiz Agahian
CCIE (R&S), CCSI, WAASSE, RSSSE
Technical Instructor
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: kagahian_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: Jorge Cortes [mailto:jorge.cortes.cano_at_gmail.com]
Sent: Monday, May 10, 2010 5:40 PM
To: Kambiz Agahian
Cc: Carlos G Mendioroz; Cisco certification
Subject: Re: Understanding Loose uRPF for preventing spoof attacks

Thanks Kambiz,

Interesting reading. It has raised more questions though:

Does cisco implement Feasible RPF? Or only Strict and Loose
implementations are supported?

The following paragraph from section 4.2 confuses me a bit:

"There are a number of techniques which make it easier to ensure the
ISP's ingress filter is complete. Feasible RPF and Strict RPF with
operational techniques both work quite well for multihomed or
asymmetric scenarios between the ISP and an edge network."

I would think Strict RPF doesn't work well in multihomed scenarios
where traffic flows asymmetric since most likely you will be receiving
traffic not on the interface used for getting to the network the
traffic is coming from.

Jorge

On Mon, May 10, 2010 at 5:53 PM, Kambiz Agahian <kagahian_at_ccbootcamp.com> wrote:
> Jorge,
>
> Nice question.
>
> According to RFC-3704 there is only three modes of RPF: Strict, Loose
> and Feasible.
>
> When you use the loose mode you're actually ignoring what's called
> "directionality" - why? Because as you've noticed as long as you see the
> route the box is happy to forward it. If you take a look at RFC-3704
> Chapter 2.4; they've exactly answered your question. In that case you're
> right; the loose thing is inefficient.
>
> HTH
>
> --------------------------
> Kambiz Agahian
> CCIE (R&S), CCSI, WAASSE, RSSSE
> Technical Instructor
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: kagahian_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Carlos G Mendioroz
> Sent: Monday, May 10, 2010 11:33 AM
> To: Jorge Cortes
> Cc: Cisco certification
> Subject: Re: Understanding Loose uRPF for preventing spoof attacks
>
> uRPF has, appart from vrf modes, 4 alternatives:
> loose/strict, with or w/o default.
>
> Strict needs the (default/specific network) pointing to the incoming if.
> Loose needs the (default/specific network) pointing somewhere.
>
> Loose with default is kind of useless, IMHO, but loose needs the route
> to the origing to be at the RIB, so the source has to be known...
>
> -Carlos
>
> Jorge Cortes @ 10/5/2010 12:42 -0300 dixit:
>> Hi Team,
>>
>> I've been thinking about uRPF for preventing spoof attacks and so far
>> this is what I understand:
>>
>> When strict uRPF is in use, the incoming packets are checked against
>> the routing table and there must be an exact match [network, outgoing
>> interface] in it in order for the packet to be forwarded, otherwise it
>> is dropped.
>> When loose uRPF is in use, the routing table is only checked for
>> routes pointing to the source network of the incoming packets, but a
>> check on the incoming interface is not enforced.
>>
>> So given the above facts strict uRPF is very well suited for
>> preventing spoof attacks when the offending packets have an spoofed IP
>> address in any network that is not in the routing table, as well as
>> internal networks; however, I can see that loose uRPF fails to prevent
>> spoof attacks when the offending packets have an spoofed IP address in
>> the internal network, since the routers have routes for the internal
>> networks and there is no check enforced on the incoming interface, is
>> my understanding correct?
>>
>> If we have a multihomed topology where the traffic flows are
>> asymmetric and we are asked to prevent spoof attacks with IP addresses
>> in the internal network, what would be the way to accomplish this? The
>> simplest solution that comes to my mind would be applying ingress
>> access lists denying packets with source ip address from the internal
>> network on the interfaces facing the external network, but I would
>> like to expand the possibilities.
>>
>> Thanks,
>> Jorge
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon May 10 2010 - 19:01:37 ART