Table Of Contents
Unicast Reverse Path Forwarding for IPv6 on the Cisco 12000 Series Internet Router
Prerequisites for Unicast RPF for IPv6
Restrictions for Unicast RPF for IPv6
Implementing Unicast RPF for IPv6
Unicast RPF for IPv6 on the Cisco 12000 Series Internet Router
Implementing Unicast RPF for IPv6
Unicast RPF for IPv6 on a Network Access Server—Example
Restrictions on Using Unicast RPF
Configuring Unicast RPF for IPv6 in Strict Checking Mode
Monitoring and Maintaining Unicast RPF for IPv6
Configuration Examples for Unicast RPF for IPv6
Configuring Unicast RPF for IPv6 with Strict Checking—Examples
Verifying Unicast RPF for IPv6—Example
ipv6 verify unicast reverse-path
ipv6 verify unicast source reachable-via rx
Unicast Reverse Path Forwarding for IPv6 on the Cisco 12000 Series Internet Router
The Unicast Reverse Path Forwarding (Unicast RPF) for IPv6 feature reduces problems caused by the introduction of malformed or forged (spoofed) IPv6 source addresses into a network by discarding IPv6 packets that lack a verifiable IPv6 source address. When enabled on a customer-facing interface (or subinterface) of a Cisco 12000 series 10G Engine 5 SPA Interface Processor (10G SIP), this feature filters IPv6 traffic to protect a service-provider network and its customer.
Feature History for Unicast RPF for IPv6
12.0(31)S
This feature was introduced in the Cisco 12000 series Internet router on the 10G Engine 5 SPA Interface Processor.
Finding Support Information for Platforms and Cisco IOS Software Images
To find information about platform support and Cisco IOS software image support, access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Unicast RPF for IPv6
•
•
•
•
Prerequisites for Unicast RPF for IPv6
•
In Cisco IOS Release 12.0(31)S, the Unicast RPF for IPv6 feature is supported only on the 10G Engine 5 SPA Interface Processor (10G SIP) in the Cisco 12000 series Internet router.
For information about the modular services cards (SIPs) and shared port adapters (SPAs) supported on the Cisco 12000 series Internet router, refer to the Cisco 12000 Series Router SIP and SPA Hardware Installation Guide.
•
The Unicast RPF for IPv6 feature requires Cisco express forwarding (CEF) to function properly on the Cisco 12000 series Internet router.
It is not necessary to configure an input interface for CEF switching because Unicast RPF has been implemented as a search through the Forwarding Information Base (FIB) using the source IP address. As long as CEF is running on the router, individual interfaces can be configured with other switching modes. Unicast RPF for IPv6 is an input-side function that is enabled on an interface or subinterface that supports any type of encapsulation and operates on IPv6 packets received by the router. It is necessary that CEF is enabled globally in the router—Unicast RPF for IPv6 does not work without CEF.
For more information about CEF, refer to the Cisco IOS Switching Services Configuration Guide, Release 12.3.
Restrictions for Unicast RPF for IPv6
The following restrictions apply to the Unicast RPF for IPv6 feature on the 10G SIP in the Cisco 12000 series Internet router:
•
The Unicast RPF for IPv6 feature is designed to be used only on customer-facing interfaces (or subinterfaces) of the 10G SIP in a Cisco 12000 series Internet router, which is deployed as a provider edge (PE) node. We recommend that you do not enable Unicast RPF on:
–
–
Because traffic in the core network arrives through a customer-facing interface on a PE router, enabling Unicast RPF on a core router or core-facing interface is redundant.
In addition, core-facing interfaces are likely to have routing asymmetry, meaning multiple routes to the source of a packet. Only apply Unicast RPF where there is natural or configured symmetry. If administrators carefully plan the interfaces on which they activate Unicast RPF, routing asymmetry is not a serious problem.
PE routers at the edge of a service-provider network are more likely to have symmetrical reverse paths than routers in the core network. Routers that are in the core network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. Hence, it is not recommended that you apply Unicast RPF where there is a chance of asymmetric routing. It is simplest to place Unicast RPF for IPv6 only at the edge of a network or, for an Internet service provider (ISP), at the customer edge of the network.
•
On the Cisco 12000 series Internet router, the Unicast RPF for IPv6 feature does not filter IPv4 traffic.
•
On the Cisco 12000 series Internet router, the Unicast RPF for IPv6 feature does not support loose checking mode as on other platforms. Only strict checking mode is supported.
–
ipv6 verify unicast source reachable-via rx
ipv6 verify unicast reverse-path
Note
–
Implementing Unicast RPF for IPv6
To configure the Unicast RPF for IPv6 feature on the Cisco 12000 series Internet router, you should understand the following concepts:
•
•
•
•
Unicast RPF for IPv6 on the Cisco 12000 Series Internet Router
When the Unicast RPF for IPv6 feature is enabled on an interface:
1.
Note
2.
–
–
–
3.
a.
b.
c.
For information about how Unicast RPF for IPv6 works with CEF to validate IPv6 source addresses by verifying packet return paths, refer to Configuring Unicast Reverse Path Forwarding in the Cisco IOS Security Configuration Guide, Release 12.3.
Implementing Unicast RPF for IPv6
On the Cisco 12000 series Internet router, Unicast RPF for IPv6 is implemented as follows:
•
•
•
Given these implementation principles, Unicast RPF for IPv6 becomes a tool that network administrators can use not only for their customers but also for their downstream network or ISP, even if the downstream network or ISP has other connections to the Internet.
For guidelines to use when deploying Unicast RPF for IPv6 on the Cisco 12000 series Internet router, refer to Configuring Unicast Reverse Path Forwarding in the Cisco IOS Security Configuration Guide, Release 12.3.
Unicast RPF for IPv6 on a Network Access Server—Example
In a service-provider network, aggregation routers are ideal places to use Unicast RPF for IPv6 with single-homed clients. A "single-homed" environment has only one access point out of the network; that is, one upstream connection. Networks having one access point offer the best example of symmetrical routing, which means that the interface at which a packet enters the network is also the best return path to the source of the IPv6 packet.
Unicast RPF for IPv6 is best used:
•
•
In fact, dialup connections are reputed to be the greatest source of DoS attacks using forged IPv6 addresses. If the network access server supports CEF, Unicast RPF for IPv6 works. In this topology, the customer aggregation routers need not have the full Internet routing table. Aggregation routers need the routing prefixes information (IP address block); hence, information configured or redistributed in the Interior Gateway Protocol (IGP) or Internal Border Gateway Protocol (IBGP) (depending on the way that you add customer routes into your network) are enough for Unicast RPF for IPv6 to function.
Figure 1 illustrates the application of Unicast RPF for IPv6 to the aggregation and access Cisco 12000 series Internet routers for an ISP point-of-presence (POP) with routers providing dialup customer connections.
Figure 1 Unicast RPF for IPv6 Applied to POP Aggregation Routers
In this example, Unicast RPF for IPv6 is applied upstream from the customer dialup connection router on the receiving (input) interfaces of the ISP aggregation routers.
Routing Table Requirements
To work correctly, Unicast RPF for IPv6 needs proper information in the CEF tables. This requirement does not mean that the Cisco 12000 series Internet router must have the entire Internet routing table. The amount of routing information required in the CEF tables depends on the:
•
•
For example:
•
•
Restrictions on Using Unicast RPF
Do not use Unicast RPF for IPv6 on core-facing interfaces that are internal to the network. Core-facing interfaces are likely to have multiple routes to the source of a packet. For the best return path (route) to the packet source, only applyUnicast RPF for IPv6 to the interface on which IPv6 packets are received. If administrators carefully plan for the interfaces on which they enable Unicast RPF for IPv6, then routing asymmetry is not a serious problem.
For example, routers:
•
•
Hence, we do not recommend that you apply Unicast RPF for IPv6 in cases in which a chance of asymmetric routing exists. Only deploy Unicast RPF for IPv6 on a Cisco 12000 series Internet router at the edge of a network, or for an ISP at the customer edge of the network.
Configuring Unicast RPF for IPv6 in Strict Checking Mode
This section describes the procedures for configuring the Unicast RPF for IPv6 feature in strict checking mode to filter IPv6 packets on the Cisco 12000 series Internet router.
Strict checking mode verifies that the source IPv6 address of an IPv6 packet exists in the routing table and that the source IPv6 address is reachable by a path through the input interface. To configure strict checking mode for IPv6, use one of the following commands:
•
•
Starting in Cisco IOS Release 12.0(31)S, the Cisco 12000 series Internet router supports both commands to enable Unicast RPF to be compatible with the Cisco IOS Release 12.3T and 12.2S software trains.
Note
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/subslot/port
Example:Router(config)# interface gigabitethernet 2/0/0
Specifies an input interface on which you want to apply Unicast RPF for IPv6 and enters interface configuration mode.
•
•
Note
Step 4
ipv6 verify unicast source reachable-rx
Example:Router(config-if)# ipv6 verify unicast reverse-path
Enables the Unicast RPF for IPv6 feature in strict checking mode to filter IPv6 packets.
Step 5
exit
Example:Router(config-if)# exit
Exits interface configuration mode. Repeat Steps 3 and 4 for each interface on which you want to apply Unicast RPF for IPv6 in strict checking mode.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type slot/subslot/port
Example:Router(config)# interface gigabitethernet 2/0/0
Specifies an input interface on which you want to apply Unicast RPF for IPv6 and enters interface configuration mode.
•
•
Note
Step 4
ipv6 verify unicast reverse-path
Example:Router(config-if)# ipv6 verify unicast reverse-path
Enables the Unicast RPF for IPv6 feature in strict checking mode to filter IPv6 packets on a Cisco 12000 series Internet router.
Step 5
exit
Example:Router(config-if)# exit
Exits interface configuration mode. Repeat Steps 3 and 4 for each interface on which you want to apply Unicast RPF for IPv6 with reverse-path checking.
Monitoring and Maintaining Unicast RPF for IPv6
To display information about the Unicast RPF for IPv6 feature configured on an interface, use the following show commands in privileged EXEC mode. For more information, refer to the "Basic Connectivity for IPv6" section in the Cisco IOS IPv6 Command Reference.
Configuration Examples for Unicast RPF for IPv6
This section contains the following configuration examples for Unicast RPF for IPv6:
•
•
Configuring Unicast RPF for IPv6 with Strict Checking—Examples
The following example shows how to configure the Unicast RPF for IPv6 feature in strict checking mode on an input 10G SIP Gigabit Ethernet interface in a Cisco 12000 series Internet router:
Router# configure terminalRouter(config)# interface gigabitethernet 3/1/1Router(config-if)# ipv6 verify unicast source reachable-via rxThe next example also shows how to configure the Unicast RPF for IPv6 feature in strict checking mode on the same input interface in a Cisco 12000 series Internet router using the ipv6 verify unicast reverse-path command:
Router# configure terminalRouter(config)# interface gigabitethernet 3/1/1Router(config-if)# ipv6 verify unicast reverse-pathVerifying Unicast RPF for IPv6—Example
To verify that Unicast RPF for IPv6 is operational, use the show cef interface type slot/subslot/port internal command in privileged EXEC mode.
As shown in the following example, Unicast RPF for IPv6 is enabled if the line starting with IPv6 unicast RPF appears. If this line is not displayed, the Unicast RPF feature is not enabled. The numbers following drop= and sdrop= show the number of IPv6 packets dropped by Unicast RPF.
Router# show cef interface pos 2/0/1 internalPOS2/1 is up (if_number 6)Corresponding hwidb fast_if_number 6Corresponding hwidb firstsw->if_number 6Internet Protocol processing disabledInterface is marked as point to point interfaceInterface generates an auto-adjacencyHardware idb is POS2/0/1 (6)Software idb is POS2/0/1 (6)Fast switching type 4, interface type 11IP Distributed CEF switching enabledIP Null turbo vectorInput fast flags 0x0, Output fast flags 0x0, Flags 0x80041ifindex 5(5)Slot 2 Slot unit 1 VC -1Transmit limit accumulator 0x0 (0x0)IP MTU 4470Subblocks:IPv6 unicast RPF: acl=None, drop=0, sdrop=0IPv6: enabled 1 unreachable FALSE redirect TRUE mtu 4470 flags 0x0link-local address is FE80::204:6DFF:FE9A:CFFFGlobal unicast address(es):BBBB::1, subnet is BBBB::/64Input features: RPFee48sb: uidb validrx_uidb_index=12, tx_uidb_index=12if_number=6, bulk_sync_flag=0x0Subinterface Counters Subblock activeAdditional References
The following sections provide references related to the Unicast RPF for IPv6 feature.
Related Documents
Configuring Unicast RPF
"Configuring Unicast Reverse Path Forwarding" chapter in the Cisco IOS Security Configuration Guide, Release 12.3
Information about Cisco Express Forwarding on the Cisco 12000 series Internet Router
Understanding Cisco Express Forwarding
"Cisco Express Forwarding" chapter in the
Cisco IOS Switching Configuration Guide, Release 12.0Unicast RPF configuration command for IPv4: complete command syntax, command mode, defaults, usage guidelines and examples
ip verify unicast reverse-path command reference page in the Cisco IOS Security Command Reference, Release 12.3
IPv6
Cisco IOS IPv6 Configuration Library
IPv6 commands: complete command syntax, command mode, defaults, usage guidelines and examples.
"Basic Connectivity for IPv6" chapter in the
Cisco IOS IPv6 Command ReferenceConfiguration and troubleshooting procedures for the SPA interface processors (SIPs) and shared port adapters (SPAs) supported on a Cisco 12000 series Internet router.
Cisco 12000 Series Router SIP and SPA Software Configuration Guide (IOS)
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in Cisco IOS Release 12.0S command reference publications.
•
•
ipv6 verify unicast reverse-path
To enable Unicast Reverse Path Forwarding (Unicast RPF) for IPv6, use the ipv6 verify unicast reverse-path command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ipv6 verify unicast reverse-path [access-list name]
no ipv6 verify unicast reverse-path [access-list name]
Syntax Description
access-list name
(Optional) Specifies the name of the access list.
Note
Defaults
Unicast RPF is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The Unicast RPF for IPv6 feature requires that Cisco Express Forwarding for IPv6 (CEFv6) is enabled on the router.
On a Cisco 12000 series Internet router, the ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in strict checking mode.
Note
Use the ipv6 verify unicast reverse-path command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing.
When Unicast RPF is enabled on an interface, the router examines all packets received on that interface. The router checks to make sure that the source IPv6 address appears in the routing table and that it is reachable by a path through the interface on which the packet was received. Unicast RPF is an input feature and is applied only on the input interface of a router at the upstream end of a connection.
The Unicast RPF feature performs a reverse lookup in the CEF table to check if any packet received at a router interface has arrived on a path identified as a best return path to the source of the packet. If a reverse path for the packet is not found, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast RPF command. If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the Unicast RPF command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast RPF command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Note
When you configure a SPA on the Cisco 12000 series Internet router, the interface address is in the format slot/subslot/port.
The optional access-list keyword for the ipv6 verify unicast reverse-path command is not supported on the Cisco 12000 series Internet router. For information about how Unicast RPF can be used with ACLs on other platforms to mitigate the transmission of invalid IPv4 addresses (perform egress filtering) and to prevent (deny) the reception of invalid IPv4 addresses (perform ingress filtering), refer to the "Configuring Unicast Reverse Path Forwarding" chapter in the "Other Security Features" section of the Cisco IOS Security Configuration Guide, Release 12.4.
Note
Do not use Unicast RPF on core-facing interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, meaning that there are multiple routes to the source of a packet. Apply Unicast RPF only where there is natural or configured symmetry.
For example, routers at the edge of the network of an Internet service provider (ISP) are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. Hence, it is not recommended that you apply Unicast RPF where there is a chance of asymmetric routing. It is simplest to place Unicast RPF only at the edge of a network or, for an ISP, at the customer edge of the network.
Examples
Unicast Reverse Path Forwarding on a Serial Interface
The following example shows how to enable the Unicast RPF feature on a serial interface:
interface serial 5/0/0ipv6 verify unicast reverse-pathUnicast Reverse Path Forwarding on a Cisco 12000 Series Internet Router
The following example shows how to enable Unicast RPF for IPv6 with strict checking on a 10G SIP Gigabit Ethernet interface 2/1/2:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface gigabitEthernet 2/1/2Router(config-if)# ipv6 verify unicast reverse-pathRouter(config-if)# exitUnicast Reverse Path Forwarding on a Single-Homed ISP
The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain routing (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters on the upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be designed into the filters on the border routers of the ISP.
interface Serial 5/0/0description Connection to Upstream ISPipv6 address FE80::260:3EFF:FE11:6770/64no ipv6 redirectsipv6 verify unicast reverse-path abc!ipv6 access-list abcpermit ipv6 host 2::1 anydeny ipv6 FEC0::/10 anyipv6 access-group abc inipv6 access-group jkl out!access-list abc permit ip FE80::260:3EFF:FE11:6770/64 2001:0DB8:0000:0001::0001anyaccess-list abc deny ipv6 any any logaccess-list jkl deny ipv6 host 2001:0DB8:0000:0001::0001 any logaccess-list jkl deny ipv6 2001:0DB8:0000:0001:FFFF:1234::5.255.255.255 any logaccess-list jkl deny ipv6 2002:0EF8:002001:0DB8:0000:0001:FFFF:1234::5172.16.0.00.15.255.255 any logaccess-list jkl deny ipv6 2001:0CB8:0000:0001:FFFF:1234::5 0.0.255.255 any logaccess-list jkl deny ipv6 2003:0DB8:0000:0001:FFFF:1234::5 0.0.0.31 any logaccess-list jkl permit ipv6ACL Logging with Unicast RPF
The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended ACL abc provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is configured on interface Ethernet 0/0 to check packets arriving at that interface.
For example, packets with a source address of 8765:4321::1 arriving at interface Ethernet 0 are dropped because of the deny statement in ACL "abc." In this case, the ACL information is logged (the logging option is turned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of 1234:5678::1 arriving at interface Ethernet 0/0 are forwarded because of the permit statement in ACL abc. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to the log server.
!interface ethernet 0/0ipv6 address FE80::260:3EFF:FE11:6770/64 link-localipv6 verify unicast reverse-path abc!ipv6 access-list abcpermit ipv6 1234:5678::/64 any log-inputdeny ipv6 8765:4321::/64 any log-inputRelated Commands
ip cef
Enables CEF on the route processor card.
ip verify unicast reverse-path
Enables Unicast RPF for IPv4 traffic.
ipv6 cef
Enables CEF for IPv6 interfaces.
ipv6 verify unicast source reachable-via rx
To enable Unicast RPF for IPv6 in strict checking mode on a Cisco 12000 series Internet router, use the ipv6 verify unicast source reachable-via rx command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ipv6 verify unicast source reachable-via rx
no ipv6 verify unicast source reachable-via rx
Syntax Description
This command has no arguments or keywords.
Defaults
Unicast RPF is disabled.
Command Modes
Interface configuration
Command History
12.0(31)S
This command was introduced on the 10G Engine 5 SPA Interface Processor in the Cisco 12000 series Internet router.
Usage Guidelines
Use the ipv6 verify unicast source reachable-via rx command to enable the Unicast RPF for IPv6 feature in strict checking mode.
Note
1.
2.
3.
4.
Note
When you configure a SPA on the Cisco 12000 series Internet router, the interface address is in the format slot/subslot/port.
The optional access-list, allow-self-ping, allow-default, and any (enables loose checking mode) parameters, that are supported in the ip verify unicast source reachable-via command for IPv4 traffic on other platforms, are not supported for the ipv6 verify unicast source reachable-via rx command on the Cisco 12000 series Internet router.
The Unicast RPF for IPv6 feature requires that Cisco Express Forwarding for IPv6 (CEFv6) is enabled on the router.Do not use Unicast RPF for IPv6 on core-facing interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, meaning that there are multiple routes to the source of a packet.
Only apply Unicast RPF for IPv6 where there is natural or configured symmetry. For example, Cisco 12000 series Internet routers:
•
•
Hence, it is not recommended that you apply Unicast RPF for IPv6 RPF where there is a chance of asymmetric routing. Only place Unicast RPF for IPv6 at the edge of a network, or for a service provider at the customer edge of the network.
Examples
The following example shows how to enable Unicast RPF for IPv6 in strict checking mode on a 10G SIP Gigabit Ethernet interface.
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface gigabitEthernet 1/2/1Router(config-if)# ipv6 verify unicast source reachable-via rxRouter(config-if)# exitRelated Commands
ip verify unicast source reachable-via
Enables Unicast RPF for IPv4 traffic in loose or strict checking mode.
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Guest
