Unicast IPv4 and IPv6
Reverse Path Forwarding (uRPF), both strict and loose modes, help mitigate
problems caused by the introduction of malformed or spoofed IP source addresses
into a network by discarding IP packets that lack a verifiable IP source
address. Unicast RPF does this by doing a reverse lookup in the CEF table.
Therefore, Unicast Reverse Path Forwarding is possible only if CEF is enabled
on the router.
Unicast RPF allows
packets with 0.0.0.0 source addresses and 255.255.255.255 destination addresses
to pass so that Bootstrap Protocol and Dynamic Host Configuration Protocol
(DHCP) will function properly.
When strict uRPF is
enabled, the source address of the packet is checked in the FIB. If the packet
is received on the same interface that would be used to forward the traffic to
the source of the packet, the packet passes the check and is further processed;
otherwise, it is dropped. Strict uRPF should only be applied where there is
natural or configured symmetry. Because internal interfaces are likely to have
routing asymmetry, that is, multiple routes to the source of a packet, strict
uRPF should not be implemented on interfaces that are internal to the network.
The behavior of
strict RPF varies slightly by platform, number of recursion levels, and number
of paths in Equal-Cost Multipath (ECMP) scenarios. A platform may switch to
loose RPF check for some or all prefixes, even though strict RPF is configured.
When loose uRPF is
enabled, the source address of the packet is checked in the FIB. If it exists
and matches a valid forwarding entry, the packet passes the check and is
further processed; otherwise, it is dropped.
Loose and strict uRPF
supports two options:
option allows the source of the packet to ping itself. The
option allows the lookup result to match a default routing entry. When the
option is enabled with the strict mode of the uRPF, the packet is processed
further only if it arrived through the default interface.