Security Configuration Guide: Unicast Reverse Path Forwarding Cisco IOS XE Release 3S (Cisco ASR 1000)
Unicast Reverse Path Forwarding ACL Support
Unicast Reverse Path Forwarding ACL Support
Last Updated: November 26, 2012
The Unicast Reverse Path Forwarding feature helps to mitigate problems that are caused by malformed or forged IP source addresses that pass through a device. The Unicast Reverse Path Forwarding ACL Support feature adds the access control list (ACL) support to the Unicast Reverse Path Forwarding feature. With the ACL support, Unicast Reverse Path Forwarding (RPF) can determine whether to drop or to forward data packets that have malformed or forged IP source addresses.
This module describes the ACL support for Unicast RPF.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Unicast Reverse Path Forwarding ACL Support
Information About Unicast Reverse Path Forwarding ACL Support
Unicast RPF Operation
When Unicast RPF is enabled on an interface of a device, the device examines all packets received as input on that interface to ensure that the source address and source interface information appears in the routing table and matches the interface on which packets are received. This ability to "look backwards" is available only when Cisco Express Forwarding is enabled on a device because the lookup relies on the presence of a Forwarding Information Base (FIB). Cisco Express Forwarding generates a FIB as part of its operation.
Unicast RPF does a reverse lookup in the Cisco Express Forwarding table to check if any packet received at the interface of a device arrives on the best return path (or return route) to the source of the packet. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. No reverse path route on the interface from which the packet was received can mean that the source address was modified. If Unicast RPF cannot find a reverse path for the packet, the packet is dropped or forwarded, depending on whether an access control list (ACL) is specified by using the ip verify unicast source reachable via command.
Before forwarding a packet that is received at the interface on which Unicast RPF and ACLs have been configured, Unicast RPF does the following checks:
Access Control Lists and Logging
When you configure an access control list (ACL) and a packet fails the Unicast RPF check, the Unicast RPF checks the ACL to see if the packet should be dropped (by using a deny statement in the ACL) or forwarded (by using a permit statement in the ACL). Regardless of whether the packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is configured, the device drops the forged or malformed packet immediately, and no ACL logging occurs. The device and the interface Unicast RPF logging counters are updated.
To log Unicast RPF events, specify the logging option for ACL entries. Using the log information, administrators can view source addresses that are used in an attack, the time at which packets arrived at an interface, and so on.
Each time a packet is dropped or forwarded at an interface, that information is counted globally at the device and at the interface on which Unicast RPF is configured. Global statistics of dropped packets provide information about potential attacks on a network. However, these global statistics do not specify which interface is the source of the attack.
Per-interface statistics allow network administrators to track two types of information about malformed packets: Unicast RPF drops and Unicast RPF suppressed drops. Statistics about the number of packets that Unicast RPF drops help to identify the interface that is the entry point of the attack. The Unicast RPF drop count tracks the number of drops at the interface. The Unicast RPF suppressed drop count tracks the number of packets that failed the Unicast RPF check but were forwarded because of the permit permission set up in the ACL. Using the drop count and suppressed drop count statistics, a network administrator can take steps to isolate the attack at a specific interface.
The figure below illustrates how Unicast RPF and Cisco Express Forwarding work together to validate source IP addresses by verifying packet return paths. In this example, a packet that has a source address of 192.168.1.1 is sent from FDDI interface 2/0/0. Unicast RPF checks the FIB to see if 192.168.1.1 has a path to FDDI 2/0/0. If there is a matching path, the packet is forwarded. If there is no matching path, the packet is dropped.
The figure below illustrates how Unicast RPF drops packets that fail validation. In this example, a packet that has a source address of 22.214.171.124 is received at FDDI interface 2/0/0. Unicast RPF checks the FIB to see if 126.96.36.199 has a return path to FDDI interface 2/0/0. If there is a matching path, the packet is forwarded. In this case, there is no reverse entry in the routing table that routes the packet back to source address 188.8.131.52 on FDDI interface 2/0/0, so the packet is dropped.
How to Configure Unicast Reverse Path Forwarding ACL Support
Configuring Unicast RPF with ACL Support
The following is sample output from the show cef interface gigabitethernet 0/0/1 command:
Device# show cef interface gigabitethernet 0/0/1 GigabitEthernet0/0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::C67D:4FFF:FEB6:E410 No Virtual link-local address(es): Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FFB6:E410 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent Input features: Verify Unicast Reverse-Path IPv6 verify source reachable-via rx, ACL test 0 verification drop(s) (process), 0 (CEF) 0 suppressed verification drop(s) (process), 0 (CEF) ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
The following is sample output from the show ipv6 traffic command:
Device# show ipv6 traffic IPv6 statistics: Rcvd: 6 total, 0 local destination 0 source-routed, 0 truncated 0 format errors, 0 hop count exceeded 0 bad header, 0 unknown option, 0 bad source 0 unknown protocol, 0 not a router 0 fragments, 0 total reassembled 0 reassembly timeouts, 0 reassembly failures Sent: 34 generated, 28 forwarded 0 fragmented into 0 fragments, 0 failed 0 encapsulation failed, 0 no route, 0 too big 0 RPF drops, 0 RPF suppressed drops Mcast: 6 received, 34 sent ICMP statistics: Rcvd: 6 input, 0 checksum errors, 0 too short 0 unknown info type, 0 unknown error type unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port 0 sa policy, 0 reject route parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 0 router solicit, 0 router advert, 0 redirects 0 neighbor solicit, 0 neighbor advert Sent: 34 output, 0 rate-limited unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port 0 sa policy, 0 reject route parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 0 router solicit, 18 router advert, 0 redirects 2 neighbor solicit, 2 neighbor advert
Configuration Examples for Unicast Reverse Path Forwarding ACL Support
Example: Configuring Unicast RPF with ACL Support
Standards & RFCs
Feature Information for Unicast Reverse Path Forwarding ACL Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.