Security Configuration Guide: Unicast Reverse Path Forwarding Cisco IOS XE Release 3S (Cisco ASR 1000)
Unicast Reverse Path Forwarding ACL Support
Downloads: This chapterpdf (PDF - 229.0KB) The complete bookPDF (PDF - 544.0KB) | Feedback

Unicast Reverse Path Forwarding ACL Support

Unicast Reverse Path Forwarding ACL Support

Last Updated: November 26, 2012

The Unicast Reverse Path Forwarding feature helps to mitigate problems that are caused by malformed or forged IP source addresses that pass through a device. The Unicast Reverse Path Forwarding ACL Support feature adds the access control list (ACL) support to the Unicast Reverse Path Forwarding feature. With the ACL support, Unicast Reverse Path Forwarding (RPF) can determine whether to drop or to forward data packets that have malformed or forged IP source addresses.

This module describes the ACL support for Unicast RPF.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Unicast Reverse Path Forwarding ACL Support

  • Unicast RPF requires Cisco Express Forwarding to function properly on a device.
  • Prior to configuring Unicast RPF, you must configure the following ACLs:
    • Configure standard or extended ACLs to mitigate the transmission of invalid IP addresses (by performing egress filtering). Configuring standard or extended ACLS, permit only valid source addresses to leave your network and enter the Internet.

    • Configure standard or extended ACL entries to drop (deny) packets that have invalid source IP addresses (by performing ingress filtering). Invalid source IP addresses include the following types:

      • Broadcast addresses (including multicast addresses)
      • Loopback addresses
      • Private addresses (RFC 1918, Address Allocation for Private Internets)

      • Reserved addresses
      • Source addresses that fall outside the range of valid addresses associated with a protected network

    • Configure standard or extended ACL entries to forward (permit) packets that fail the Unicast RPF checks and allow specific traffic from known asymmetric routed sources.

  • Configure ACLs to track Unicast RPF events to provide additional information about network attacks.

Restrictions for Unicast Reverse Path Forwarding ACL Support

ACL templates are not supported.

Information About Unicast Reverse Path Forwarding ACL Support

Unicast RPF Operation

When Unicast RPF is enabled on an interface of a device, the device examines all packets received as input on that interface to ensure that the source address and source interface information appears in the routing table and matches the interface on which packets are received. This ability to "look backwards" is available only when Cisco Express Forwarding is enabled on a device because the lookup relies on the presence of a Forwarding Information Base (FIB). Cisco Express Forwarding generates a FIB as part of its operation.


Note


In Cisco ASR 1000 Series Aggregation Services Routers, Cisco Express Forwarding is enabled by default and cannot be disabled.

Note


Unicast RPF is an input function and is applied only on the input interface of a device at the upstream end of a connection.

Unicast RPF does a reverse lookup in the Cisco Express Forwarding table to check if any packet received at the interface of a device arrives on the best return path (or return route) to the source of the packet. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. No reverse path route on the interface from which the packet was received can mean that the source address was modified. If Unicast RPF cannot find a reverse path for the packet, the packet is dropped or forwarded, depending on whether an access control list (ACL) is specified by using the ip verify unicast source reachable via command.


Note


With Unicast RPF, all equal-cost "best" return paths are considered valid. Unicast RPF supports multiple return paths, provided that each path is equal to the others in terms of the routing cost (such as number of hops, weights, and so on) and the route is available in the FIB. Unicast RPF also functions where Enhanced Interior Gateway Routing Protocol (EIGRP) variants are used.
Before forwarding a packet that is received at the interface on which Unicast RPF and ACLs have been configured, Unicast RPF does the following checks:
  1. If input ACLs are configured on the inbound interface.
  2. If the packet has arrived on the best return path to the source by doing a reverse lookup in the FIB table.
  3. Does a lookup of the Cisco Express Forwarding table for packet forwarding.
  4. Checks output ACLs on the outbound interface.
  5. Forwards the packet.

Access Control Lists and Logging

When you configure an access control list (ACL) and a packet fails the Unicast RPF check, the Unicast RPF checks the ACL to see if the packet should be dropped (by using a deny statement in the ACL) or forwarded (by using a permit statement in the ACL). Regardless of whether the packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.

If no ACL is configured, the device drops the forged or malformed packet immediately, and no ACL logging occurs. The device and the interface Unicast RPF logging counters are updated.

To log Unicast RPF events, specify the logging option for ACL entries. Using the log information, administrators can view source addresses that are used in an attack, the time at which packets arrived at an interface, and so on.


Caution


Logging requires CPU and memory resources. Logging Unicast RPF events for attacks that have a high rate of forged packets can degrade the performance of a device.


Per-Interface Statistics

Each time a packet is dropped or forwarded at an interface, that information is counted globally at the device and at the interface on which Unicast RPF is configured. Global statistics of dropped packets provide information about potential attacks on a network. However, these global statistics do not specify which interface is the source of the attack.

Per-interface statistics allow network administrators to track two types of information about malformed packets: Unicast RPF drops and Unicast RPF suppressed drops. Statistics about the number of packets that Unicast RPF drops help to identify the interface that is the entry point of the attack. The Unicast RPF drop count tracks the number of drops at the interface. The Unicast RPF suppressed drop count tracks the number of packets that failed the Unicast RPF check but were forwarded because of the permit permission set up in the ACL. Using the drop count and suppressed drop count statistics, a network administrator can take steps to isolate the attack at a specific interface.


Note


Use of ACL logging can further help to identify addresses that are dropped by Unicast RPF.

The figure below illustrates how Unicast RPF and Cisco Express Forwarding work together to validate source IP addresses by verifying packet return paths. In this example, a packet that has a source address of 192.168.1.1 is sent from FDDI interface 2/0/0. Unicast RPF checks the FIB to see if 192.168.1.1 has a path to FDDI 2/0/0. If there is a matching path, the packet is forwarded. If there is no matching path, the packet is dropped.

Figure 1 Unicast RPF Validating IP Source Addresses


The figure below illustrates how Unicast RPF drops packets that fail validation. In this example, a packet that has a source address of 209.165.200.225 is received at FDDI interface 2/0/0. Unicast RPF checks the FIB to see if 209.165.200.225 has a return path to FDDI interface 2/0/0. If there is a matching path, the packet is forwarded. In this case, there is no reverse entry in the routing table that routes the packet back to source address 209.165.200.225 on FDDI interface 2/0/0, so the packet is dropped.

Figure 2 Unicast RPF Dropping Packets That Fail Verification


How to Configure Unicast Reverse Path Forwarding ACL Support

Configuring Unicast RPF with ACL Support

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type number

4.    ipv6 address ipv6-address/prefix-length

5.    ipv6 verify unicast source reachable-via {rx | any} [access-list]

6.    end

7.    show cef interface [type number]

8.    show ipv6 traffic


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Device> enable

 
Enables privileged EXEC mode.
  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type number


Example:

Device(config)# interface gigabitethernet 0/0/1

 

Configures an interface and enters interface configuration mode.

 
Step 4
ipv6 address ipv6-address/prefix-length


Example:

Device(config-if)# ipv6 address 2001:DB8:1::1/96

 

Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

 
Step 5
ipv6 verify unicast source reachable-via {rx | any} [access-list]


Example:

Device(config-if)# ipv6 verify unicast source reachable-via any acl1

 

Verifies that a source address exists in the FIB table and enables Unicast RPF.

 
Step 6
end


Example:

Device(config-if)# end

 

Exits interface configuration mode and enters privileged EXEC mode.

 
Step 7
show cef interface [type number]


Example:

Device# show cef interface gigabitethernet 0/0/1

 

Displays detailed Cisco Express Forwarding information for a specified interface or for all interfaces.

 
Step 8
show ipv6 traffic


Example:

Device# show ipv6 traffic

 

Displays statistics about IPv6 traffic.

 

Example:

The following is sample output from the show cef interface gigabitethernet 0/0/1 command:

Device# show cef interface gigabitethernet 0/0/1

 GigabitEthernet0/0/1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C67D:4FFF:FEB6:E410
  No Virtual link-local address(es):
  Global unicast address(es):
    2001::1, subnet is 2001::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FFB6:E410
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  Input features: Verify Unicast Reverse-Path
 IPv6 verify source reachable-via rx, ACL test
   0 verification drop(s) (process), 0 (CEF)
   0 suppressed verification drop(s) (process), 0 (CEF)
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.

The following is sample output from the show ipv6 traffic command:

Device# show ipv6 traffic

 IPv6 statistics:
        Rcvd:  6 total, 0 local destination
               0 source-routed, 0 truncated
               0 format errors, 0 hop count exceeded
               0 bad header, 0 unknown option, 0 bad source
               0 unknown protocol, 0 not a router
               0 fragments, 0 total reassembled
               0 reassembly timeouts, 0 reassembly failures
        Sent:  34 generated, 28 forwarded
               0 fragmented into 0 fragments, 0 failed
               0 encapsulation failed, 0 no route, 0 too big
               0 RPF drops, 0 RPF suppressed drops
        Mcast: 6 received, 34 sent

ICMP statistics:
        Rcvd: 6 input, 0 checksum errors, 0 too short
              0 unknown info type, 0 unknown error type
              unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
                       0 sa policy, 0 reject route
              parameter: 0 error, 0 header, 0 option
              0 hopcount expired, 0 reassembly timeout,0 too big
              0 echo request, 0 echo reply
              0 group query, 0 group report, 0 group reduce
              0 router solicit, 0 router advert, 0 redirects
              0 neighbor solicit, 0 neighbor advert
        Sent: 34 output, 0 rate-limited
              unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
                       0 sa policy, 0 reject route
              parameter: 0 error, 0 header, 0 option
              0 hopcount expired, 0 reassembly timeout,0 too big
              0 echo request, 0 echo reply
              0 group query, 0 group report, 0 group reduce
              0 router solicit, 18 router advert, 0 redirects
              2 neighbor solicit, 2 neighbor advert

Configuration Examples for Unicast Reverse Path Forwarding ACL Support

Example: Configuring Unicast RPF with ACL Support

Device# configure terminal
Device(config)# interface gigabitethernet 0/0/1
Device(config-if)# ipv6 address 2001:DB8:1::1/96
Device(config-if)# ipv6 verify unicast source reachable-via any acl1
Device(config-if)# end

Additional References

Standards & RFCs

Standard/RFC

Title

RFC 1918

Address Allocation for Private Internets

RFC 2267

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Unicast Reverse Path Forwarding ACL Support

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Unicast Reverse Path Forwarding ACL Support
Feature Name Releases Feature Information

Unicast Reverse Path Forwarding ACL Support

Cisco IOS XE Release 3.7S

The Unicast Reverse Path Forwarding feature helps to mitigate problems that are caused by malformed or forged IP source addresses that pass through a device. The Unicast Reverse Path Forwarding ACL support feature adds the ACL support to the Unicast Reverse Path Forwarding feature. With the ACL support, Unicast RPF can determine whether to drop or to forward data packets that have malformed or forged IP source addresses.

The following commands were introduced or modified: ip verify unicast source reachable-via and ipv6 verify unicast source reachable-via.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.