Use the Unicast
Reverse Path Forwarding for IPv6 feature to mitigate problems caused by
malformed or spoofed IPv6 source addresses that pass through an IPv6 device.
Malformed or forged source addresses can indicate denial-of-service (DoS)
attacks based on source IPv6 address spoofing.
When uRPF is enabled
on an interface, the device examines all packets received on that interface.
The device verifies that the source address appears in the routing table and
matches the interface on which the packet was received. This "look backward"
ability is available only when Cisco Express Forwarding is enabled on the
device; this is because the lookup relies on the presence of the Forwarding
Information Bases (FIBs). Cisco Express Forwarding generates the FIB as part of
its operation.
Note |
uRPF is an input
function and is applied only on the input interface of a device at the upstream
end of a connection.
|
The uRPF feature verifies whether any packet received at a
device interface arrives on one of the best return paths to the source of the
packet. The feature performs a reverse lookup in the Cisco Express Forwarding
table. If uRPF does not find a reverse path for the packet, uRPF can drop or
forward the packet, depending on whether an access control list (ACL) is
specified. If an ACL is specified, then when (and only when) a packet fails the
uRPF check, the ACL is checked to verify if the packet should be dropped (using
a deny statement in the ACL) or forwarded (using a permit statement in the
ACL). Regardless of whether a packet is dropped or forwarded, the packet is
counted in the global IP traffic statistics for uRPF drops and in the interface
statistics for uRPF.
If no ACL is specified, the device drops the forged or
malformed packet immediately and no ACL logging occurs. The device and
interface uRPF counters are updated.
uRPF events can be logged by specifying the logging option for
the ACL entries. Log information can be used to gather information about the
attack, such as source address and time.
Note |
With uRPF, all
equal-cost "best" return paths are considered valid. uRPF works in cases where
multiple return paths exist, provided that each path is equal to the others in
terms of the routing cost (number of hops, weights, and so on) and as long as
the route is in the FIB.
|